Login problems - password characters

Login problems - password characters

by Guillermo Madero -
Number of replies: 4

As an admin of several installations, I'm about to go insane with the not so unfrequent complain "I cannot login with the assigned usr/pwd".

The problem has two unknowns:

1. why do some accounts work while others do not?
2. why do some accounts, which initially worked ok, stop doing so? (yes, they do! and I'm not having hallucinations... I have the logs to prove it wink).

Given information:

- Usernames consist of 6 to 15 plain lowercase letters (a-z).
- Passwords follow the default password policy: they consist of 8 characters, with at least "all the minimums required".
- Users cannot change their passwords.
- I'm the only admin.
- The problem appears in both Moodle 1.9.9+ and 2.0.1 installations.
- I have tried myself logging-in with the problematic accounts (to ensure that complains don't come from user lack of experience).
- I have manually reentered the password info, with the "unmask" option set... just to be sure smile
- From phpinfo():
-- magic_quotes_gpc: On/Off (in some sites on, in other off)
-- magic_quotes_runtime: Off
-- magic_quotes_sybase: Off
- All sites are on shared servers, but with the same hosting company.

After working with two specific and similar cases (the first one is the one that finally tipped the scale):

1. userone with password GI70'vu>
2. usertwo with password AT09'yo<

I have just found that the apostrophe seems to be the cause behind all this, as I cannot login with them. However, how is it that both accounts logged-in fine the first time (in one case, I was actually with the user) but not now? Strangely enough, I just created a new user with the "AT09'yo<" password, and I could not login.

There is also a particular behavior, easy to notice:

When I try to log in with any of these user/password combinations, I never get the outstanding Invalid login, please try again message: the page only refreshens and redisplays the last username that logged-in ok. However, if I enter a different and incorrect password, then I get the "invalid login" message thoughtful

Questions:

1. Is there actually any kind of restriction one should be aware of, as to the characters that can/cannot be used for the password? (if there is, then it should be more clearly stated in the documentation and maybe even in the "new user" page, because after all this time, I sure have managed to miss this info thoughtful).

2. Could I: a) change some configuration inside Moodle, b) upload a configuration file to some directory or c) change some php piece of code to solve this problem... or will I have to change all the (possibly) offending passwords & resend the new ones? (users are sure going to hate me sad... well, a bit more than usual).

3. I would really like to know what is causing those kind of accounts to stop working! I guess that the password field in the DB somehow is being updated after the first login.

4. Any other suggestions/tips??

Thanks in advance,
Guillermo

Average of ratings: -
In reply to Guillermo Madero

Re: Login problems - password characters

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

Here is my typical experience of "non working passwords", yours may be very different as you appear to have logs that track what you are describing. However the human element is very important.

I Say "OK everybody login to Moodle". I check the online block. Three students are not logged in.

I call out:  Joe Soap why are you not logged in?

Response:  my password doesn't work

I ask:  have you changed it?

Response: no

I say: Well I have just logged in as you from my machine

Response; I still cannot login

I then walk over to their machines and login successfully using the same username and password as they say they were using.

Note these are 17 year old students of ICT in an affluent part of the world who spend a huge amount of their lives on social networking sites.

Average of ratings: -
In reply to Marcus Green

Re: Login problems - password characters

by Guillermo Madero -

Yes, I've definetely been there black eye... my experience goes from those who haven't even gone to the page (though they say they have); those who try to login... on a different page (!!); those who visit the page but "don't find" where to login; those who try to login... using their email, not their username; those who really try, but only God knows what they are doing (I usually see like 5 to 10 login error entries at the logs)... and finally, those whose password is supposed to work but isn't, which got me to post the previous entry.

And all this only to get them to log in!

Indeed, amazingly enough, most users don't tend to have these "problems" using facebook or twitter thoughtful

Average of ratings: -
In reply to Guillermo Madero

Re: Login problems - password characters

by Guillermo Madero -

I've been doing some tests, and here are the results.

/** First domain has:

magic_quotes_gpc      On
magic_quotes_runtime  Off
magic_quotes_sybase   Off

Two subdomains:

a) subdomain 1: Moodle 1.9.9+ (Build: 20100728)
b) subdomain 2: Moodle 2.0.1 (Build: 20101225)

Password tried
DB info <* method used to enter the password - result.

a)
AT09'yo<
a153633665b8530605fede1fdecdb7eb <* manual entry - last username redisplayed
801edee7fa9f4e4cf1bac62eb23ccdaa <* file upload  - last username redisplayed

AT09\'yo<
2ab782382b14bd233159d9c0740f3470 <* manual entry - last username redisplayed
a153633665b8530605fede1fdecdb7eb <* file upload  - last username redisplayed

AT09"yo<
a7ecb1d374bbb86ee52aaa5e84745925 <* manual entry - could log in
997d8e68e0effc8fb22091b806246360 <* file upload  - invalid data msg

b)
AT09'yo<
801edee7fa9f4e4cf1bac62eb23ccdaa <* manual entry - last username redisplayed
801edee7fa9f4e4cf1bac62eb23ccdaa <* file upload  - last username redisplayed

AT09\'yo<
a153633665b8530605fede1fdecdb7eb <* manual entry - last username redisplayed
a153633665b8530605fede1fdecdb7eb <* file upload  - last username redisplayed

AT09"yo<
997d8e68e0effc8fb22091b806246360 <* manual entry - could log in
997d8e68e0effc8fb22091b806246360 <* file upload  - could log in (force pwd change)

/** Second domain has:

magic_quotes_gpc      Off
magic_quotes_runtime  Off
magic_quotes_sybase   Off

d) subdomain 1: Moodle 1.9.10 (Build: 20101027)
e) subdomain 2: Moodle 2.0.1 (Build: 20101225)

d)
AT09'yo<
a153633665b8530605fede1fdecdb7eb <* manual entry - last username redisplayed
801edee7fa9f4e4cf1bac62eb23ccdaa <* file upload  - last username redisplayed

AT09\'yo<
2ab782382b14bd233159d9c0740f3470 <* manual entry - last username redisplayed
801edee7fa9f4e4cf1bac62eb23ccdaa <* file upload  - last username redisplayed

AT09"yo<
a7ecb1d374bbb86ee52aaa5e84745925 <* manual entry - could log in
997d8e68e0effc8fb22091b806246360 <* file upload  - invalid data msg

e)
AT09'yo<
801edee7fa9f4e4cf1bac62eb23ccdaa <* manual entry - last username redisplayed
801edee7fa9f4e4cf1bac62eb23ccdaa <* file upload  - last username redisplayed

AT09\'yo<
a153633665b8530605fede1fdecdb7eb <* manual entry - last username redisplayed
801edee7fa9f4e4cf1bac62eb23ccdaa <* file upload  - last username redisplayed

AT09"yo<
997d8e68e0effc8fb22091b806246360 <* manual entry - could log in
997d8e68e0effc8fb22091b806246360 <* file upload  - could log in

Maybe someone would have the time and inclination to do some tests and confirm these results?

Anyway, I think that it should be stated on the documentation that certain characters are to be avoided on passwords.

I guess I'll have to change and resend some passwords.

Average of ratings: -
In reply to Guillermo Madero

Re: Login problems - password characters

by Guillermo Madero -

While my original set of special characters for passwords was larger, after using it for some time I ended discarding the \|@#¿¡^[]{} symbols because they were problematic for unexperienced users: some were "difficult" to find and many needed the AltGr key to be pressed.

Now, in order to stop making any more assumptions, I decided to take my latest set of allowed characters, discard the ' " symbols and test the rest by following the same procedure used before.

In all eight tests:

* One domain having magic_quotes_gpc = On
- with one subdomain with Moodle 1.9.9+ (Build: 20100728)
- and another subdomain with Moodle 2.0.1 (Build: 20101225)
* Another domain having magic_quotes_gpc = Off
- with one subdomain with Moodle 1.9.10 (Build: 20101027)
- and another subdomain with Moodle 2.0.1 (Build: 20101225)
* And using two input methods (manual entry & file upload) in each case...

The resulting hash in the DB "password" field was exactly the same.. phew!

So, hoping this might be helpful for someone, here is the set of special characters I would recommend for passwords (well, at least until some dark configuration somewhere forces me to reconsider it):

! $ % & ) ( * + , - . / : ; < = > ? _

Cheers!

Average of ratings: Useful (1)