Once you have Password Policies feature turned on and the password quality requirements set, all users roles (including Security Admin) must meet those requirements - there's no exceptions whatsoever. Otherwise, they will not be able to login.
How does Password Policy affect users' logins?
To explain this, best would be to use an example.
Your main Password Policy settings (password quality requirements) are:
- Minimum Password Length - "20"
- Minimum Password Strength - "Strong"
- Apply Password Policies To Existing Users and Their Passwords - "Enabled"
These settings mean that, if any existing user or a new user set their new password with lenght less than "20" and strength less then "strong", they will not be able to login.
The above password quality requirements will be applied when i.e.:
- Super Admin tries to update his own existing password
- Super Admin tries to update other users' existing passwords
- Super Admin tries to add a new user and set their password
- Other user (i.e. Editor, Subscriber....) tries to update their existing passwords
What happens when a user tries to set a new password that doesn't meet the requirements
If the user tries to update his own existing password through his profile page, and if the new password does not meet the above requirements set, they will be prompted to confirm the password use (see the screenshot below). If they don't check the box, a new password will not be saved.
A new updated password will be saved even if it does not meet the requirements but, the notification will be displayed on the top of the user's profile page:
This notification means that user should go back to his profile and set a new password that will meet the requirements. Otherwise, they'll not be able to use it next time they login.
What happens when a user tries to login with a new password that doesn't meet the requirements
When a user tries to login with that password, WP login form will display an error - incorrect password:
Important: If you have "Login Guard - Login Cooldown Interval" and "IP Manager - Auto IP Blacklist" set, unsuccessful login attempts may lock you out or you can get blacklisted. If that happens, please follow the guide outlined in the article here.
What user should do to successfully login
As user is not able to login with their new password, they will need to recover it - simply click "Lost your password?", and follow the instructions received by email.
User will be prompted to create a new password. If their new password does not meet the password quality requirements set (see above), the following notification will display within WP login form:
Note: Only new password that meet the requirements will be accepted.
Once the user's new created password meets the requirements (see the settings above), they will be able to login.
Shield's Password Policies feature provides a very powerful security protection for you and your site users - all users will be enforced to meet the password quality requirements set by Security Administrator.
This feature is created for those that need to take their Security to the next level, and is highly recommended.
To learn how to enable and use Shield's Password Policies feature, please read the article here.
For more information on Password Policy and the password quality importance, please read the blog article here.