Security and privacy

Make username and password case insensitive

 
 
Picture of Micky Fokken
Make username and password case insensitive
 

Is there a way to make the username and password case insensitive?

 
Average of ratings: -
Picture of Andrew Nicols
Re: Make username and password case insensitive
Group Core developersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Testers
Hi Micky,

I don't believe that the username is currently case sensitive (I have just checked on my local installation), but I'm afraid that I don't think it's possible to make the password case insensitive without making some changes to the manual authentication plugin within Moodle.

As an alternative, you could adjust your Security policies (Site Administration -> Security -> Site Policies) to change the password policies. You can modify this policy to not require any uppercase letters for example so that your users can just have an entirely lowercase password.

Obviously, this will reduce the resilience of your passwords to various types of attacks, but it shouldn't necessarily reduce security depending on how sensible your users are with their passwords - http://xkcd.com/936/.

Best wishes,

Andrew
 
Average of ratings: -
Fernando Navarro
Re: Make username and password case insensitive
Group Particularly helpful MoodlersGroup Testers

Hi smile

Username is not case sensitive. It is lowercase (but Moodle change from uppercase to lowercase when login with uppercase)

Salu2

Fernando

 
Average of ratings: -
Picture of Micky Fokken
Re: Make username and password case insensitive
 

Salu,

You're right!  i just checked and my username was NOT case sensitive.

As for the password, could we modify the code so that all password form fields convert the password to lowercase prior to adding, comparing or modifying DB values?  Based on my very basic form field knowledge, all fields are stored in a variable before being sent to the DB.

 
Average of ratings: -
Picture of Andrew Nicols
Re: Make username and password case insensitive
Group Core developersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Testers
Hi Micky,

It would technically be possible to do this - you could modify the manual authentication mechanism, but it's not something I'd advise. If you were to do so, you'd need to look at auth/manual/auth.php and/or lib/moodlelib.php in various places - I'm not exactly sure off the top of my head which.

In addition, you'd need to change the password policy to allow you to enter a password which contains no uppercase characters.

As I mentioned before, as an alternative to changing your password to force lowercase, you could just adjust your Security policies (Site Administration -> Security -> Site Policies) to change the password policies to not require any uppercase letters for example so that your users can just have an entirely lowercase password. This solution would not require any changes to the moodle code base and would mean that upgrading Moodle would be much easier in the future.

Andrew
 
Average of ratings: -
Picture of Micky Fokken
Re: Make username and password case insensitive
 

I wish we could just force lowercase.  Unfortunately, we import users via CSV and make their username and password their e-mail address.  We have users who are capitalizing the first letter of their name in their login.

We are looking for a solution that wouldn't require any end-user training.

We have found a solution that will take 5 - 10 hours to implement.  We will intercept all password processing and convert it to lowercase before it is stored in the database.  This includes:

1.  Importing via CSV

2.  Logging into the system

3.  Changing / resetting the password

I believe those are all the locations that the password is utilized.  Any other locations?  Is the password stored in a variable that is referenced in multiple locations that we would need to watch out for?

 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: Make username and password case insensitive
Group Particularly helpful Moodlers
I know, this is not the answer you are looking for. Still, I wonder whether making the end-user to understand that "the case matters" is the better solution, in the long run.

I mean, if some people have capital letters in their mail-addresses, let them have those. Since the initial password is the e-mail-address , they'll understand that the password too has the same capital letters.
 
Average of ratings: -
Picture of Micky Fokken
Re: Make username and password case insensitive
 

I will keep pushing to keep the system the same.  The problem is that users are not looking at the username/password login file.  They are just informed that their username and password are their e-mail.  Some people are used to using a variety of case variations.

We found a way to make the password case insensitive, but it would require resetting the password for all existing users.  I am going to reach out to some Moodle consulting companies to see if they have any final advice.

 
Average of ratings: -
Picture of Wendi Daniels
Re: Make username and password case insensitive
 

Maybe I'm confused, but I see that there is no way to remove the "lowercase only" rule from the username. I have checked the "Allow extended characters in usernames" box, but still I cannot use an uppercase letter in the username. how do I change this?

 
Average of ratings: -
Picture of Petr Skoda
Re: Make username and password case insensitive
Group Core developersGroup Documentation writersGroup Plugin developers
Hello, I agree this is a problem. This regression was introduced during the migration to PARAM_USERNAME, unfortunately it will need bigger changes in the code flow in the login process and it cannot be fixed in stable branches easily. I hope I will find some time before the 2.7 release to finally fix it.
 
Average of ratings:Useful (1)
Picture of Wendi Daniels
Re: Make username and password case insensitive
 

Well, it's really not THAT big of a problem...and we are fortunate to have such a great platform.  smile

 
Average of ratings: -
Picture of David Mudrák
Re: Make username and password case insensitive
Group Core developersGroup Documentation writersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Translators

Well, I must say I personally consider that a bad idea. Having the password case insensitive goes completely against the whole idea of password authentication. Good practise is on contrary to allow (and actually use) as many character types as possible. Any limitation put on accepted characters in the password significantly degrades the potential strength of the password. That is why security experts recommend to use a passphrase instead of a single password (that is, use multiple words separated by spaces, for example), mix letter case and use non-alphabetical characters. All these help to prevent from guessing the password. Any operation (such as changing the case, trimming the trailing whitespace etc) just makes the passwords weaker - for no good reason.

I do understand why the letter case in usernames should be ignored. But for passwords, I would definitely discourage from doing that.

 
Average of ratings:Useful (1)
Picture of Petr Skoda
Re: Make username and password case insensitive
Group Core developersGroup Documentation writersGroup Plugin developers
Oh, I was talking only about the handling of usernames - now everything is forced to be lowercase which breaks in multiple use cases and auth plugins which in turns prevents proper implementation of case insensitive usernames. Some time ago I proposed a patch for login via email which could be done at the same time.

I agree that passwords must not be weakened. There are some sites that do inverted case and first capital letter to work around user frustration with capslocs and automatic first capital, the only question is do we want yet another setting in admin UI?
 
Average of ratings: -