Hi, I'm getting a lot of feedback from users that the lost password retrieval process is too confusing! Moodle sends the user 2 emails; the first to verify that you made a request to change pw; then the link brings you back to the moodle site; then moodle sends you a randomly generated pw; which then you have to enter back to the site; then change it to something you'll remember.
I'm sure you have seen other lost password retrieval processes where the system just sends you your created password or a randomly generated password via email once you typed in your username/password. Could anyone shed some light on whether your users have the same issues? Or any other way to handle lost passwords? Are other ways not safe in terms of online security? Please reply this post; I feel this issue causes a lot of frustration from users, which deters usage as well as side track from all the positive things in moodle. Thanks.
Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
Number of replies: 23
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Helen Foster -
Hi Abel,
I'd forgotten what it was like to retrieve a Moodle password and so tried it out on demo.moodle.net. I've copied the emails below for the record. I agree with you that the process does seem complicated.
However, as a moodle.org admin I receive quite a few messages from people who received a change password confirmation email in error. I reply saying that the change password confirmation email was most likely generated by someone with a similar username who didn't remember it correctly, or who mistyped it.
At least having a lost password retrieval process of 2 emails means that people's passwords aren't reset in these cases.
Hi Kim,
Someone (probably you) has requested a new password for your
account on 'Moodle Demonstration Site'.
To confirm this and have a new password sent to you via email,
go to the following web address:
http://demo.moodle.net/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
If you need help, please contact the site administrator,
Admin User
Hi Kim,
Your account password at 'Moodle Demonstration Site' has been reset
and you have been issued with a new temporary password.
Your current login information is now:
username: kim
password: 6rn*l3NU
Please go to this page to change your password:
http://demo.moodle.net/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
Cheers from the 'Moodle Demonstration Site' administrator,
Admin User
I'd forgotten what it was like to retrieve a Moodle password and so tried it out on demo.moodle.net. I've copied the emails below for the record. I agree with you that the process does seem complicated.
However, as a moodle.org admin I receive quite a few messages from people who received a change password confirmation email in error. I reply saying that the change password confirmation email was most likely generated by someone with a similar username who didn't remember it correctly, or who mistyped it.
At least having a lost password retrieval process of 2 emails means that people's passwords aren't reset in these cases.
Hi Kim,
Someone (probably you) has requested a new password for your
account on 'Moodle Demonstration Site'.
To confirm this and have a new password sent to you via email,
go to the following web address:
http://demo.moodle.net/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
If you need help, please contact the site administrator,
Admin User
Hi Kim,
Your account password at 'Moodle Demonstration Site' has been reset
and you have been issued with a new temporary password.
Your current login information is now:
username: kim
password: 6rn*l3NU
Please go to this page to change your password:
http://demo.moodle.net/login/
In most mail programs, this should appear as a blue link
which you can just click on. If that doesn't work,
then cut and paste the address into the address
line at the top of your web browser window.
Cheers from the 'Moodle Demonstration Site' administrator,
Admin User
In reply to Helen Foster
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Michael Buchanan -
I've changed my password at some sites where, when you receive the first email message to confirm you want to change the password, the link you are given takes you to a page to create your own new password, instead of having one created for you and emailed to you.
Would this work for Moodle or is it considered a less secure model?
Would this work for Moodle or is it considered a less secure model?
In reply to Michael Buchanan
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Helen Foster -
Hmm, Michael your suggestion does sound simpler. I've no idea whether it's less secure though.
If you've chance, please could you create an issue in the Moodle Tracker for it (you'll need to create a tracker account in order to create an issue) so that it can be reviewed by developers. Please post the tracker issue number in this discussion so that others can comment and/or vote for it to be implemented.
If you've chance, please could you create an issue in the Moodle Tracker for it (you'll need to create a tracker account in order to create an issue) so that it can be reviewed by developers. Please post the tracker issue number in this discussion so that others can comment and/or vote for it to be implemented.
In reply to Helen Foster
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Michael Buchanan -
I submitted an improvement suggestion concerning the forgotten password functionality.
My suggestion is that once a person receives the first email after requesting a new password, if they confirm that they did request to reset the password, they click on a link which takes them immediately to a page which allows them to enter a new password which would have to conform to the sites security settings.
The tracker URL is http://tracker.moodle.org/browse/MDL-23692
My suggestion is that once a person receives the first email after requesting a new password, if they confirm that they did request to reset the password, they click on a link which takes them immediately to a page which allows them to enter a new password which would have to conform to the sites security settings.
The tracker URL is http://tracker.moodle.org/browse/MDL-23692
In reply to Michael Buchanan
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
So, after all this time since I still have this on going problem of password retrieval issues. I should mentioned that this is a very real problem for my group of learners because they're adults who are being asked by the company to take an online course every couple months or so. They're very likely going to forget their password.
My question now is anyone know how to change the auto generated password to be less random? Moodle is generating passwords like this:
lO105S08B
That's crazy! My users cannot tell if it's a zero or the letter "O" or 1 vs small caps L.
Again, I know you and I might copy and paste the password; but again we're talking about a less tech savvy adult learners who might not realize to do that.
===
Also, responding to the 'proposed' password change by Michael Buchanan; is there any security risk? I couldn't think of any atm. It totally rids of randomly generated passwords; and getting 1 email instead of 2 would be huge; especially, as it mentioned in the tracker, the issue with IT email systems filtering temp pw email as spam.
http://tracker.moodle.org/browse/MDL-23692
1. On the Forgotten password page, user types in username or email address.
2. Email is sent to person. If they confirm that they want to change their password, they click on the provided link.
3. They are taken to a change password page where they would need to enter a password conforming to the standards set up by the security settings.
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Iñaki Arenaza -
My question now is anyone know how to change the auto generated password to be less random?
There's at least three ways to do it:
- Disable password policy (in Administration >> Security >> Site Policies). This produces very simple (and unsecure) passwords, but also allows the user to set unsecure passwords themselves.
- Lower the complexity requirements. For example, you can disable requiring digits, so your users won't mistake a 0 for a O, or a 1 for a L. Again this makes your passwords less secure.
- Edit lib/moodlelib.php and find the lines containing the definitions for PASSWORD_LOWER, PASSWORD_UPPER, PASSWORD_DIGITS and PASSWORD_NONALPHANUM, and remove only the problematic characters (0 or O, 1 or L, etc.) This way your passwords can still be quite secure.
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
- Edit lib/moodlelib.php and find the lines containing the definitions for PASSWORD_LOWER, PASSWORD_UPPER, PASSWORD_DIGITS and PASSWORD_NONALPHANUM, and remove only the problematic characters (0 or O, 1 or L, etc.) This way your passwords can still be quite secure.
- Disable password policy (in Administration >> Security >> Site Policies). This produces very simple (and unsecure) passwords, but also allows the user to set unsecure passwords themselves.
- Lower the complexity requirements. For example, you can disable requiring digits, so your users won't mistake a 0 for a O, or a 1 for a L. Again this makes your passwords less secure.
Thanks.
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Iñaki Arenaza -
If you enable password policy and set 'Password Length' to anything greater than 0, then the generated passwords are exactly that length (always, irrespective of whether you are creating a new password or recovering it).
Saludos. Iñaki.
In reply to Iñaki Arenaza
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
Can we try this one more time? I have the password policy set ONLY to 6 digits/letters. My problem is that the 'lost password' system from moodle generates very random passwords with symbols. In the password policy, symbols is set to zero. How do I make moodle not generate new passwords with symbols. And I've tried the lib file which really messes up everything as mentioned before. Thanks.
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Iñaki Arenaza -
Which Moodle version are you using? (if you could copy the contents of version.php here that would be even better).
Saludos.
Iñaki.
Saludos.
Iñaki.
In reply to Helen Foster
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Glenys Hanson -
Hi there,
Where I work, added to the already heavy university requirements for logging on to their data base, students having then to go through another complicated (see above) log on process means that Moodle enthusiast that I am, I can't really recommend it for the sort of courses (usually very short, 1 or 2 weeks) or even for the year long evening courses that we run.
For the evening courses it means that at that time of the day the teachers are on their own to deal with all the log on problems. I recently experimented on a course where I was the teacher (I'm not a coder or anything like that, but reasonably experienced with Moodle) and I only managed to get 1 out of 8 students (a very small group, one of whom was absent at the time) actually connected to Moodle when we were physically present in our Media Centre. Four more of them eventually managed to connect themselves from home - after I'd sent several explanatory emails with screenshots, etc.
There must be a simpler way to do this.
Cheers,
Glenys
Where I work, added to the already heavy university requirements for logging on to their data base, students having then to go through another complicated (see above) log on process means that Moodle enthusiast that I am, I can't really recommend it for the sort of courses (usually very short, 1 or 2 weeks) or even for the year long evening courses that we run.
For the evening courses it means that at that time of the day the teachers are on their own to deal with all the log on problems. I recently experimented on a course where I was the teacher (I'm not a coder or anything like that, but reasonably experienced with Moodle) and I only managed to get 1 out of 8 students (a very small group, one of whom was absent at the time) actually connected to Moodle when we were physically present in our Media Centre. Four more of them eventually managed to connect themselves from home - after I'd sent several explanatory emails with screenshots, etc.
There must be a simpler way to do this.
Cheers,
Glenys
In reply to Helen Foster
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Chris Nelson -
I tried the above to see what exaclty happens on our moodle installation. (version 1.9.7) and once I get to the link:
Please go to this page to change your password:
http://demo.moodle.net/login/change_password.php
I click on the link, it takes me to the login page where I enter my username/new password, and I am taken in directly to my course site (no password change option).
If I click on the link a second time (while logged in to the my moodle site), then I am presented with the change password option.
If I log out and try the link again. The process is repeated.
Am I doing something wrong? I have tried this twice and am getting the same issue.
Thanks in advance.
In reply to Chris Nelson
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Henry Happ -
We just upgraded to 1.9.8+ and a new semester started on Monday. I have had a large number of emails from students who can't get their password changed. Some go through the forgot password process and think the temporary password is their permanent, so after a day, it stops working for them, after which I get an email. I tried checking this process out and our site works just like Chris states above: click on the link in the email, go to the login page, go to your courses. Nothing about changing your password.
How is this supposed to work?
How is this supposed to work?
In reply to Henry Happ
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
First, Chris issue might be different from Henry's issue.
Chris might be an administrator so you can't change your password like other students (confirm?).
http://docs.moodle.org/en/Administration_FAQ#I_have_forgotten_the_admin_password
The admin can always change users password directly from the lists of accounts; that's one way. Or use the lost password feature to generate a temp password then go through the steps to create a new one.
Just to reiterate my issue is still unresolved, which is whether anyone can write or tweak some codes to streamline password retrieval. If moodle, just sends the user their pw then none of this would be an issue.
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
Does anyone know how to change the auto generated password to something less complicated? Moodle generates a random temporary password with all the password policy activated i.e. must incl. with caps, small caps, a number, a symbol, etc... This is complicated for users to type in. Any ideas? Thanks.
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Glenys Hanson -
Hi Abel,
I'm afraid this is the way the world's going: complicated passwords are necessary to protect our privacy. They aren't necessarily difficult to remember though. There are a number of techniques, here's one:
Oh, my God! I've got 10 zits
gives:
O,mG!I'vg10z
And, if you're on your own computer, you can have your browser remember it so you don't have to type in very often.
Cheers,
Glenys
I'm afraid this is the way the world's going: complicated passwords are necessary to protect our privacy. They aren't necessarily difficult to remember though. There are a number of techniques, here's one:
- Compose a short, memorable sentence.
- Select the first letter of each word plus numbers and punctuation marks.
Oh, my God! I've got 10 zits
gives:
O,mG!I'vg10z
And, if you're on your own computer, you can have your browser remember it so you don't have to type in very often.
Cheers,
Glenys
In reply to Glenys Hanson
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Lindley Bailey -
Random numbers would be easier to type in than special characters.
Passwords generated with moodle contain special characters which are hard to type. You could use the random number generator in spreadsheet programs to create a number password list, then paste it into a spreadsheet of new users for upload.
Sincerely,
Lin Bailey
Passwords generated with moodle contain special characters which are hard to type. You could use the random number generator in spreadsheet programs to create a number password list, then paste it into a spreadsheet of new users for upload.
Sincerely,
Lin Bailey
In reply to Lindley Bailey
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Abel Cheng -
Lin, are you referring to 'lost passwords?' or general passwords for users; my users can make up their own passwords; the security setting is just 6 characters or more. But, somehow, moodle's autogenerated "lost password" email sends complicated random digits, letters, special char. passwords. Is your solution meant for lost passwords? Anyone knows where to change this in the codes? Thanks again for everyone's feedback.
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Lindley Bailey -
Sorry, I missed the "lost password" part. My suggestion was only good for adding new users, or updating existing users manually, which won't work in your case.
Sincerely,Lin Bailey
Sincerely,Lin Bailey
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Keith Ross -
I don't receive that email with the link to change the password. I upgraded to 1.9.9
In reply to Abel Cheng
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Amy Emanuel -
We have Moodle 2.4 and this is an issue for us too. The change of password process is way too complicated. It would be great if this could be resolved and the process simplified. Any suggestions???
Amy
In reply to Amy Emanuel
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Derek Chirnside -
Probably nothing will happen with Moodle core Amy. Security reasons. What you regard as an issue is actually a feature.
What exactly do you want to happen? You can of course decide this and then get an authentication add-on created.
-Derek
In reply to Amy Emanuel
Re: Lost password alternatives? Overly complicated or required for security purpose?
by Kathy Cannon -
Hi Amy,
I'm in agreement that a simpler process for resetting a password is needed... and I'm reading that security is not the whole story. Here's a forum started recently
https://moodle.org/mod/forum/discuss.php?d=232821
And a tracker item that you could vote for and watch for developments.
https://tracker.moodle.org/browse/MDL-23692
And here's a development proposal that is offered.
http://docs.moodle.org/dev/Password_Reset_Proposal
I've voted and will be watching!
- Kathy C