Is there a way to make the username and password case insensitive?
Security and privacy
Make username and password case insensitive
I don't believe that the username is currently case sensitive (I have just checked on my local installation), but I'm afraid that I don't think it's possible to make the password case insensitive without making some changes to the manual authentication plugin within Moodle.
As an alternative, you could adjust your Security policies (Site Administration -> Security -> Site Policies) to change the password policies. You can modify this policy to not require any uppercase letters for example so that your users can just have an entirely lowercase password.
Obviously, this will reduce the resilience of your passwords to various types of attacks, but it shouldn't necessarily reduce security depending on how sensible your users are with their passwords - http://xkcd.com/936/.
Username is not case sensitive. It is lowercase (but Moodle change from uppercase to lowercase when login with uppercase)
You're right! i just checked and my username was NOT case sensitive.
As for the password, could we modify the code so that all password form fields convert the password to lowercase prior to adding, comparing or modifying DB values? Based on my very basic form field knowledge, all fields are stored in a variable before being sent to the DB.
It would technically be possible to do this - you could modify the manual authentication mechanism, but it's not something I'd advise. If you were to do so, you'd need to look at auth/manual/auth.php and/or lib/moodlelib.php in various places - I'm not exactly sure off the top of my head which.
In addition, you'd need to change the password policy to allow you to enter a password which contains no uppercase characters.
As I mentioned before, as an alternative to changing your password to force lowercase, you could just adjust your Security policies (Site Administration -> Security -> Site Policies) to change the password policies to not require any uppercase letters for example so that your users can just have an entirely lowercase password. This solution would not require any changes to the moodle code base and would mean that upgrading Moodle would be much easier in the future.
I wish we could just force lowercase. Unfortunately, we import users via CSV and make their username and password their e-mail address. We have users who are capitalizing the first letter of their name in their login.
We are looking for a solution that wouldn't require any end-user training.
We have found a solution that will take 5 - 10 hours to implement. We will intercept all password processing and convert it to lowercase before it is stored in the database. This includes:
1. Importing via CSV
2. Logging into the system
3. Changing / resetting the password
I believe those are all the locations that the password is utilized. Any other locations? Is the password stored in a variable that is referenced in multiple locations that we would need to watch out for?
I mean, if some people have capital letters in their mail-addresses, let them have those. Since the initial password is the e-mail-address , they'll understand that the password too has the same capital letters.
I will keep pushing to keep the system the same. The problem is that users are not looking at the username/password login file. They are just informed that their username and password are their e-mail. Some people are used to using a variety of case variations.
We found a way to make the password case insensitive, but it would require resetting the password for all existing users. I am going to reach out to some Moodle consulting companies to see if they have any final advice.
Maybe I'm confused, but I see that there is no way to remove the "lowercase only" rule from the username. I have checked the "Allow extended characters in usernames" box, but still I cannot use an uppercase letter in the username. how do I change this?
Well, I must say I personally consider that a bad idea. Having the password case insensitive goes completely against the whole idea of password authentication. Good practise is on contrary to allow (and actually use) as many character types as possible. Any limitation put on accepted characters in the password significantly degrades the potential strength of the password. That is why security experts recommend to use a passphrase instead of a single password (that is, use multiple words separated by spaces, for example), mix letter case and use non-alphabetical characters. All these help to prevent from guessing the password. Any operation (such as changing the case, trimming the trailing whitespace etc) just makes the passwords weaker - for no good reason.
I do understand why the letter case in usernames should be ignored. But for passwords, I would definitely discourage from doing that.
I agree that passwords must not be weakened. There are some sites that do inverted case and first capital letter to work around user frustration with capslocs and automatic first capital, the only question is do we want yet another setting in admin UI?