CWP: Configure Roundcube Password Policy

First Ensure The Roundcube Password Plugins is enabled in the following configuration file . I'm showing you the minimum changes but you can change your own rules .

# cat /usr/local/cwpsrv/var/services/roundcube/config/config.inc.php
 
$config['plugins'] = array(    
   'archive',    
   'zipdownload',    
   'managesieve',    
   'password',
 );

Configuring the password plugin

# cd /usr/local/cwpsrv/var/services/roundcube/plugins/
# cp -p password/config.inc.php.dist password/config.inc.php

The first setting deals with the minimal length of the password. I recommend to enforce at least 8 characters.

 # vi password/config.inc.php

// Determine whether current password is required to change password.
// Default: false.
$config['password_confirm_current'] = true;

// Require the new password to be a certain length.
// set to blank to allow passwords of any length
$config['password_minimum_length'] = 8;

// Enables logging of password changes into logs/password
$config['password_log'] = true;

We should allow the user to use the old password as the new password. It may sound stupid but as we are upgrading the password scheme from the weak unsalted MD5 to the better SHA2 algorithm we should allow that:

// Enables saving the new password even if it matches the old password. Useful
// for upgrading the stored passwords after the encryption scheme has changed.
$config['password_force_save'] = true;

// Enables forcing new users to change their password at their first login.
$config['password_force_new_user'] = true; 

// Default password hashing/crypting algorithm.
// Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
// sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, samba, ad, dovecot, clear.
// For details see password::hash_password() method.
$config['password_algorithm'] = 'md5'; 

This post is based on this article.
Link 1
Link 2