Maybe there was a simpler way to do this but this is what I’ve done. I’ve added rules to the change_password application; some of these using the options available in SC, others with simple rules (new password cannot be the same as the old, cannot be the same as the user login…) - and this - which is called from Events > Onvalidate before passwords are encrypted.
What it does:
Requires password to be 8-20 characters
Verifies that users password contains A-Z, a-z, 0-9 and a special character.
Here’s the code:
$pwd={pswd} ;
if (preg_match("#.^(?=.{8,20})(?=.[a-z])(?=.[A-Z])(?=.[0-9]).*$#", $pwd)){
return true ;
} else {
sc_error_message(“Your new password must comply with password requirements”) ;
}