As we were on a development & testing phase, neither password salting nor a password policy was being used on our site. However, as we are about to start accepting student enrollments, I have just upgraded the first of two sites, from 1.9.6 to 1.9.8. and I have also read all Moodle docs about password security.
I would like to know what people with more real-life experience at Moodle think would be, both from a security and from a practical point of view, the best option to set up a site:
- enforce a strong password policy
- use the password salt option at config.php and let users keep using their weak passwords
- or enforce strong passwords AND use the password salt
Thanks in advance,