Security announcements

MSA-09-0029: Multiple password related issues

Picture of Helen Foster
MSA-09-0029: Multiple password related issues
Topic: Multiple password related issues
Severity/Risk: Critical
Versions affected: <1.8.11 and <1.9.7
Reported by: exploit of weak passwords published anonymously on and multiple other reports
Issue no.: MDL-18807, MDL-18006, MDL-19608, MDL-20934
Solution: upgrade to 1.8.11 or 1.9.7
Workaround: set up password salt in config.php, enforce strong password policy, force password change on important accounts, verify LDAP configuration if used

Administrators are now forced to change their password after upgrading. The installer now puts a random password salt into config.php, existing sites notify administrators to configure the salt via security overview reports. Strong password policy is now enabled by default. Only internal authentication plugins now store password hashes in user table, cached hashes are removed for all external plugins (though the LDAP plugin already had the option to prevent passwords in user table). Bulk user actions now contain an option to force password change.