Lost password alternatives? Overly complicated or required for security purpose?
I'm sure you have seen other lost password retrieval processes where the system just sends you your created password or a randomly generated password via email once you typed in your username/password. Could anyone shed some light on whether your users have the same issues? Or any other way to handle lost passwords? Are other ways not safe in terms of online security? Please reply this post; I feel this issue causes a lot of frustration from users, which deters usage as well as side track from all the positive things in moodle. Thanks.
Re: Lost password alternatives? Overly complicated or required for security purpose?
I'd forgotten what it was like to retrieve a Moodle password and so tried it out on demo.moodle.net. I've copied the emails below for the record. I agree with you that the process does seem complicated.
However, as a moodle.org admin I receive quite a few messages from people who received a change password confirmation email in error. I reply saying that the change password confirmation email was most likely generated by someone with a similar username who didn't remember it correctly, or who mistyped it.
At least having a lost password retrieval process of 2 emails means that people's passwords aren't reset in these cases.
Hi Kim,
Someone (probably you) has requested a new password for your
account on 'Moodle Demonstration Site'.
To confirm this and have a new password sent to you via email,
go to the following web address:
http://demo.moodle.net/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
If you need help, please contact the site administrator,
Admin User
Hi Kim,
Your account password at 'Moodle Demonstration Site' has been reset
and you have been issued with a new temporary password.
Your current login information is now:
username: kim
password: 6rn*l3NU
Please go to this page to change your password:
http://demo.moodle.net/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
Cheers from the 'Moodle Demonstration Site' administrator,
Admin User
Re: Lost password alternatives? Overly complicated or required for security purpose?
Would this work for Moodle or is it considered a less secure model?
Re: Lost password alternatives? Overly complicated or required for security purpose?
If you've chance, please could you create an issue in the Moodle Tracker for it (you'll need to create a tracker account in order to create an issue) so that it can be reviewed by developers. Please post the tracker issue number in this discussion so that others can comment and/or vote for it to be implemented.
Re: Lost password alternatives? Overly complicated or required for security purpose?
My suggestion is that once a person receives the first email after requesting a new password, if they confirm that they did request to reset the password, they click on a link which takes them immediately to a page which allows them to enter a new password which would have to conform to the sites security settings.
The tracker URL is http://tracker.moodle.org/browse/MDL-23692
Re: Lost password alternatives? Overly complicated or required for security purpose?
So, after all this time since I still have this on going problem of password retrieval issues. I should mentioned that this is a very real problem for my group of learners because they're adults who are being asked by the company to take an online course every couple months or so. They're very likely going to forget their password.
My question now is anyone know how to change the auto generated password to be less random? Moodle is generating passwords like this:
lO105S08B
That's crazy! My users cannot tell if it's a zero or the letter "O" or 1 vs small caps L.
Again, I know you and I might copy and paste the password; but again we're talking about a less tech savvy adult learners who might not realize to do that.
===
Also, responding to the 'proposed' password change by Michael Buchanan; is there any security risk? I couldn't think of any atm. It totally rids of randomly generated passwords; and getting 1 email instead of 2 would be huge; especially, as it mentioned in the tracker, the issue with IT email systems filtering temp pw email as spam.
http://tracker.moodle.org/browse/MDL-23692
1. On the Forgotten password page, user types in username or email address.
2. Email is sent to person. If they confirm that they want to change their password, they click on the provided link.
3. They are taken to a change password page where they would need to enter a password conforming to the standards set up by the security settings.
Re: Lost password alternatives? Overly complicated or required for security purpose?
My question now is anyone know how to change the auto generated password to be less random?
There's at least three ways to do it:
- Disable password policy (in Administration >> Security >> Site Policies). This produces very simple (and unsecure) passwords, but also allows the user to set unsecure passwords themselves.
- Lower the complexity requirements. For example, you can disable requiring digits, so your users won't mistake a 0 for a O, or a 1 for a L. Again this makes your passwords less secure.
- Edit lib/moodlelib.php and find the lines containing the definitions for PASSWORD_LOWER, PASSWORD_UPPER, PASSWORD_DIGITS and PASSWORD_NONALPHANUM, and remove only the problematic characters (0 or O, 1 or L, etc.) This way your passwords can still be quite secure.
Saludos. Iñaki.
Re: Lost password alternatives? Overly complicated or required for security purpose?
- Edit lib/moodlelib.php and find the lines containing the definitions for PASSWORD_LOWER, PASSWORD_UPPER, PASSWORD_DIGITS and PASSWORD_NONALPHANUM, and remove only the problematic characters (0 or O, 1 or L, etc.) This way your passwords can still be quite secure.
- Disable password policy (in Administration >> Security >> Site Policies). This produces very simple (and unsecure) passwords, but also allows the user to set unsecure passwords themselves.
- Lower the complexity requirements. For example, you can disable requiring digits, so your users won't mistake a 0 for a O, or a 1 for a L. Again this makes your passwords less secure.
Thanks.
Re: Lost password alternatives? Overly complicated or required for security purpose?
If you enable password policy and set 'Password Length' to anything greater than 0, then the generated passwords are exactly that length (always, irrespective of whether you are creating a new password or recovering it).
Saludos. Iñaki.
Re: Lost password alternatives? Overly complicated or required for security purpose?
Can we try this one more time? I have the password policy set ONLY to 6 digits/letters. My problem is that the 'lost password' system from moodle generates very random passwords with symbols. In the password policy, symbols is set to zero. How do I make moodle not generate new passwords with symbols. And I've tried the lib file which really messes up everything as mentioned before. Thanks.
Re: Lost password alternatives? Overly complicated or required for security purpose?
Saludos.
Iñaki.
Re: Lost password alternatives? Overly complicated or required for security purpose?
Where I work, added to the already heavy university requirements for logging on to their data base, students having then to go through another complicated (see above) log on process means that Moodle enthusiast that I am, I can't really recommend it for the sort of courses (usually very short, 1 or 2 weeks) or even for the year long evening courses that we run.
For the evening courses it means that at that time of the day the teachers are on their own to deal with all the log on problems. I recently experimented on a course where I was the teacher (I'm not a coder or anything like that, but reasonably experienced with Moodle) and I only managed to get 1 out of 8 students (a very small group, one of whom was absent at the time) actually connected to Moodle when we were physically present in our Media Centre. Four more of them eventually managed to connect themselves from home - after I'd sent several explanatory emails with screenshots, etc.
There must be a simpler way to do this.
Cheers,
Glenys
Re: Lost password alternatives? Overly complicated or required for security purpose?
I tried the above to see what exaclty happens on our moodle installation. (version 1.9.7) and once I get to the link:
Please go to this page to change your password:
http://demo.moodle.net/login/change_password.php
I click on the link, it takes me to the login page where I enter my username/new password, and I am taken in directly to my course site (no password change option).
If I click on the link a second time (while logged in to the my moodle site), then I am presented with the change password option.
If I log out and try the link again. The process is repeated.
Am I doing something wrong? I have tried this twice and am getting the same issue.
Thanks in advance.
Re: Lost password alternatives? Overly complicated or required for security purpose?
How is this supposed to work?
Re: Lost password alternatives? Overly complicated or required for security purpose?
First, Chris issue might be different from Henry's issue.
Chris might be an administrator so you can't change your password like other students (confirm?).
http://docs.moodle.org/en/Administration_FAQ#I_have_forgotten_the_admin_password
The admin can always change users password directly from the lists of accounts; that's one way. Or use the lost password feature to generate a temp password then go through the steps to create a new one.
Just to reiterate my issue is still unresolved, which is whether anyone can write or tweak some codes to streamline password retrieval. If moodle, just sends the user their pw then none of this would be an issue.
Re: Lost password alternatives? Overly complicated or required for security purpose?
Re: Lost password alternatives? Overly complicated or required for security purpose?
I'm afraid this is the way the world's going: complicated passwords are necessary to protect our privacy. They aren't necessarily difficult to remember though. There are a number of techniques, here's one:
- Compose a short, memorable sentence.
- Select the first letter of each word plus numbers and punctuation marks.
Oh, my God! I've got 10 zits
gives:
O,mG!I'vg10z
And, if you're on your own computer, you can have your browser remember it so you don't have to type in very often.
Cheers,
Glenys
Re: Lost password alternatives? Overly complicated or required for security purpose?
Passwords generated with moodle contain special characters which are hard to type. You could use the random number generator in spreadsheet programs to create a number password list, then paste it into a spreadsheet of new users for upload.
Sincerely,
Lin Bailey
Re: Lost password alternatives? Overly complicated or required for security purpose?
Re: Lost password alternatives? Overly complicated or required for security purpose?
Sincerely,Lin Bailey
Re: Lost password alternatives? Overly complicated or required for security purpose?
Re: Lost password alternatives? Overly complicated or required for security purpose?
We have Moodle 2.4 and this is an issue for us too. The change of password process is way too complicated. It would be great if this could be resolved and the process simplified. Any suggestions???
Amy
Re: Lost password alternatives? Overly complicated or required for security purpose?
Probably nothing will happen with Moodle core Amy. Security reasons. What you regard as an issue is actually a feature.
What exactly do you want to happen? You can of course decide this and then get an authentication add-on created.
-Derek
Re: Lost password alternatives? Overly complicated or required for security purpose?
Hi Amy,
I'm in agreement that a simpler process for resetting a password is needed... and I'm reading that security is not the whole story. Here's a forum started recently
https://moodle.org/mod/forum/discuss.php?d=232821
And a tracker item that you could vote for and watch for developments.
https://tracker.moodle.org/browse/MDL-23692
And here's a development proposal that is offered.
http://docs.moodle.org/dev/Password_Reset_Proposal
I've voted and will be watching!
- Kathy C