Extending password validation

Extending password validation

by Simon Champion -
Number of replies: 3

Hi.

I am trying to write a Moodle plugin to extend Moodle's default password validation.

By default, Moodle has options to force passwords to contain minimum numbers of upper case/lower case/etc characters, but I want to extend that to also do other checks, for example including things like checking that you haven't used the same password twice, checking that your password isn't a common English word, etc.

I'm struggling with how to do this. I initially thought I could write an auth plugin, and use the user_update_password() method, but this method only gets called for the specific auth plugin that has been used to create the user account, which doesn't work for me; I need to continue using the existing auth types, and have my method get triggered for any of them that involve a password update.

Can anyone give me any insights into how I can achieve what I want to do?

Thank you  smile


Average of ratings: -
In reply to Simon Champion

Re: Extending password validation

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I don't think this is possible without modifying/extending some core code. The password policy checking function doesn't have an extension point built in. And the authentication plugins are not assumed to check the password policy themselves. Moodle assumes that you check your password policy centrally, and if the password passes the check, then the auth plugins simply perform the actions to update it wherever they have to.

So I'd say that the less invasive way to achieve what you want is to add a config setting (either in config.php or directly in the database, in prefix_settings table) with the name of a function that would perform as many additional policy checks as you want. Let's assume for the sake of the example that the setting is called $CFG->additional_password_policy_checks_function. The function would need to take the same two parameters as check_password_policy() function:

  • a string with the new password to check
  • an error message string, passed in by reference, where you would add (concatenate) your additional error messages.

Then you would just add something like this near the end of check_password_policy()

if (!check_consecutive_identical_characters($password, $CFG->maxconsecutiveidentchars)) {
    $errmsg .= '<div>'. get_string('errormaxconsecutiveidentchars', 'auth', $CFG->maxconsecutiveidentchars) .'</div>';
}

// -- Add from this line --
if(!empty($CFG->additional_password_policy_checks_function)) {
    call_user_func_array($CFG->additional_password_policy_checks_function,
                         array($password, &$errmsg));
}
// -- Add to this line --

if ($errmsg == '') {
    return true;
} else {
    return false;
}

That seems to work as expected in my test Moodle site.

Saludos.

Iñaki.

Average of ratings: -
In reply to Iñaki Arenaza

Re: Extending password validation

by Simon Champion -

Hi Iñaki.

Thanks for the reply. You've pretty much confirmed what I had found from my investigations.

I'm not prepared to make proprietary changes to the Moodle core to support my changes -- most of the major problems I've had with supporting Moodle systems over the years have been directly caused by custom core modifications that then became unsupported and unsupportable.

I may consider making a pull request to Moodle to try to get the ability to write a plugin to extend this functionality added into the core, but I'm not sure I have the time or motivation to do that just now.

Thanks again.

    Simon C.


Average of ratings: -