Define generated password policy in Moodle?

Define generated password policy in Moodle?

by Christos Savva -
Number of replies: 4

Hello fellow Moodlers

We recently came across a problem where our users were unable to log in to Moodle.

After investigating the issue we realized that our Firewall was blocking the requests, picking them up as SQL Injection because of some characters in the password string.

Those users where created from Moodle GUI (Add User) and we ticked the option "Generate password and notify user".

Is there a way to tell Moodle what kind of password it should generate, so that I remove special characters?

Thank you

Average of ratings: -
In reply to Christos Savva

Re: Define generated password policy in Moodle?

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hi Christos,

the function that generates those passwors is generate_password() (in lib/moodlelib.php). It takes into account the Password Policy settings so all the passwords it creates comply with the configured policy settings.

The set of characters it uses for all the possible character classes (digits, upper/lower-case letters, symbols, etc) are defined in a few constants at the top of lib/moodlelib.php. If you want to remove some problematic symbols from the pre-defined set, look for the constant PASSWORD_NONALPHANUM and add/remove symbols as needed.

Saludos. Iñaki.

Average of ratings: Useful (1)
In reply to Iñaki Arenaza

Re: Define generated password policy in Moodle?

by Christos Savva -

Hello Iñaki and thank you for your reply.

By Password Policy settings I believe you mean the settings in Moodle Site Policy page? Because there my settings are correct, but Moodle still generates passwords with special characters.

Please see attached

Attachment passwordpolicy.PNG
Average of ratings: -
In reply to Christos Savva

Re: Define generated password policy in Moodle?

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Hi Christos,

yes I'm referring to those settings. Having a closer look at the code I can see why you are still sometimes getting non-alphanum characters in your Moodle-generated passwords.

The generate_password() function has to respect your minimum length setting, taking into account your other restrictions (min alpha, min digits, etc.). What happens if you specify a minimum length of 8 characters but you only impose a 1 digit minimum, 1 lower case letter minimum, etc? If you add up your minimum character-class settings, you only have 3 mandatory characters in the generated passwords. But you expect 8 characters at least. So Moodle needs to add 5 more characters (at least).

And here's the thing: we don't impose a "no more than X characters of this class" restriction anywhere. So when choosing those additional 5 characters, Moodle chooses from any of the existing characters classes, including the non-alphanumeric character class.

So either we implement the "no more than X characters of this class" restrictions, or you remove the problematic characters from the PASSWORD_NONALPHANUM constant.

Saludos. Iñaki.

Average of ratings: Useful (3)
In reply to Iñaki Arenaza

Re: Define generated password policy in Moodle?

by Christos Savva -

Thnk you so much Iñaki for the info.

I will try to remove the characters from PASSWORD_NONALPHANUM constant.
Average of ratings: -