Is it possible to setup and/or enforce password standards in Moodle with manual accounts only? For example, specifying that a password be a certain length, contain at least one number, etc. How have Moodle admins assured that the passwords used or of a sufficient complexity? I have read about LDAP and using LDAP to enforce passwords but I was wondering if there are other methods that folks have implemented.
You can patch .../login/change_password.php to enforce any restrictions you want in your users' passwords. Just add any suitable checks to function validate_form() after the new passwords have been checked to be equal between them (remember you have to type the new password twice) and different to the current password.
Say you want your passwords to be at least 8 characters long, have at least 1 digit, 1 upper case letter and 1 lowecase letter. You could do something like this:
define ('MIN_PWD_LEN', 8);
define ('MIN_DIGITS', 1);
define ('MIN_LOWER', 1);
define ('MIN_UPPER', 1);
if (strlen($frm->newpassword1) < MIN_PWD_LEN) {
newpassword1 = 'Passwords must be at least ' .
MIN_PWD_LEN . ' characters long';
}
if (preg_match_all('/[:digit:]/u', $frm->newpassword1, $matches) < MIN_DIGITS) {
newpassword1 = 'Passwords must have at least ' .
MIN_DIGITS . ' digit(s)';
}
if (preg_match_all('/[:lower:]/u', $frm->newpassword1, $matches) < MIN_LOWER) {
newpassword1 = 'Passwords must have at least ' .
MIN_LOWER . ' lower case letter(s)';
}
if (preg_match_all('/[:upper:]/u', $frm->newpassword1, $matches) < MIN_UPPER) {
newpassword1 = 'Passwords must have at least '.
MIN_UPPER . ' upper case letter(s)';
}
Saludos. Iñaki.
Iñaki - Thank you for the perfect response to my question. Your response will save me lots of time and allow me to begin enforcing sometype of password complexity on our server. Mil gracias.
Good one! There's PHP / PECL extention for cracklib too. It'd be a great thing to add to the mix: detect if cracklib is installed, an run crack_check(). More info at http://www.php.net/crack
Does any one think I should create a feature request to include Iñaki's code and its increased functionality? It would involve adding an option to enforce password requirements. I think it would be a powerful addition. The next step would be more involved and would be to enforce length of time that a password is active but that would involve a change to the database (password_last_updated). Any thoughts as to what should be done to allow administrators the tools needed to ensure the security of Moodle passwords? I think Iñaki's code is a major step in the right direction. Peace.
Humm, I've had a look at it and while useful, I'm a bit wary of using that extension. First off, there is a note at the top of http://www.php.net/crack saying:
Even if this doesn't sound that bad (just download it and compile it yourself), there is this too at http://www.php.net/manual/en/function.crack-check.php:
Saludos. Iñaki.
Note: This extension has been moved to the PECL repository and is no longer bundled with PHP as of PHP 5.0.0.
Even if this doesn't sound that bad (just download it and compile it yourself), there is this too at http://www.php.net/manual/en/function.crack-check.php:
Warning
This function is EXPERIMENTAL. The behaviour of this function, the name of this function, and anything else documented about this function may change without notice in a future release of PHP. Use this function at your own risk.
Which leaves me with a bad feeling.Saludos. Iñaki.
Like always, a very useful functionality created by Iñaki. Many thanks.
Two questions:
- Iñaki, can you send a patch file with this code?
- This code is only applied when the user tries to change the password. But, is not more useful to be applied when the user create is account? signup.php ??
Thanks and a happy new year for all
Duarte S.
Now that I have a look at it, it seems the filters at Moodle.org have munged some parts of the code. The lines that read:
$newpassword1 = '...some text here...';
should really read:
$err->newpassword1 = '...some text here...';
Saludos. Iñaki.
Thanks for the un-munged version!
And now for the real patch, with GUI integration, language support and all the goodies you'd expect from Moodle 
I've integrated the password policy mechanism in all the places where passwords are set/changed (unless I forgot something): when a new account is created, upon password change and when the admin changes a user's password.
Password policy is switchable (on/off) and somewhat configurable via Administration >> Configuration >> Variables >> Security.
Have fun and report back any bugs you find
Ooops! I almost forgot. The patch is for 1.6.3+, I'll cook one for 1.7 and HEAD in a few hours (it's coffe time here and I'm on holiday
)
Saludos. Iñaki.
Password policy is switchable (on/off) and somewhat configurable via Administration >> Configuration >> Variables >> Security.
Have fun and report back any bugs you find
Ooops! I almost forgot. The patch is for 1.6.3+, I'll cook one for 1.7 and HEAD in a few hours (it's coffe time here and I'm on holiday
Saludos. Iñaki.
I have attached the patches for 1.6.3+, 1.7+ and 1.8dev to the bug report (the 1.6.3+ updated patch removes a couple of changes from the original patch that are not related to the new functionlity).
Saludos. Iñaki.
Saludos. Iñaki.
Gracias. I hope that this improved functionality gets committed to CVS.
Hello everybody,
I am new to Moodle but am rapidly getting up to speed on this powerful tool.
Background - I was asked to take over the administration of a pilot project that was running Moodle 1.52 under EasyPHP and MySQL4. I have successfully migrated the platform to IIS/PHP5/MySQL5/Moodle1.7, and all data is preserved and I am ready to launch the 1.7 version of the portal as the next phase of the pilot project.
Anyhow, I would very much like to add in this functionality to implement password restrictions, but am not sure how to integrate a .diff file (it has been a few years since I worked in a shop that uses a CVS, and I did not use the CVS checkout method to install Moodle, only the downloaded ZIP file). Am also unsure whether the 1.7 version of the patch was completed or not based on the replies above. I cannot find the feature anywhere in the 1.7 configuration pages on my Moodle installation.
Can anyone help me out and let me know how I could get this feature enabled? It sounds perfect for what we need.
Thanks,
Paul Weston
I too had a hard time applying the patches perhaps Iñaki might be willing to upload a zipped version of the patched files??? I kept getting an error that the hunks failed and I am just learning how to work with diffs and patches. Peace.
patching file admin/settings/security.php
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED -- saving rejects to file admin/settings/security.php.rej
patching file lang/en_utf8/admin.php
Hunk #1 FAILED at 461.
1 out of 1 hunk FAILED -- saving rejects to file lang/en_utf8/admin.php.rej
patching file lib/moodlelib.php
Hunk #1 FAILED at 6736.
1 out of 1 hunk FAILED -- saving rejects to file lib/moodlelib.php.rej
patching file login/change_password.php
Hunk #1 FAILED at 168.
1 out of 1 hunk FAILED -- saving rejects to file login/change_password.php.rej
patching file login/signup.php
Hunk #1 FAILED at 112.
1 out of 1 hunk FAILED -- saving rejects to file login/signup.php.rej
patching file user/edit.php
Hunk #1 FAILED at 428.
1 out of 1 hunk FAILED -- saving rejects to file user/edit.php.rej
patching file admin/settings/security.php
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED -- saving rejects to file admin/settings/security.php.rej
patching file lang/en_utf8/admin.php
Hunk #1 FAILED at 461.
1 out of 1 hunk FAILED -- saving rejects to file lang/en_utf8/admin.php.rej
patching file lib/moodlelib.php
Hunk #1 FAILED at 6736.
1 out of 1 hunk FAILED -- saving rejects to file lib/moodlelib.php.rej
patching file login/change_password.php
Hunk #1 FAILED at 168.
1 out of 1 hunk FAILED -- saving rejects to file login/change_password.php.rej
patching file login/signup.php
Hunk #1 FAILED at 112.
1 out of 1 hunk FAILED -- saving rejects to file login/signup.php.rej
patching file user/edit.php
Hunk #1 FAILED at 428.
1 out of 1 hunk FAILED -- saving rejects to file user/edit.php.rej
Patches were based on the current 1.7.x+ version at the time I made them. If you don't use the same version, some hunks (each piece of the patch) may fail. But having all the hunks fail is something really strange.
I don't mind rebasing the patches to current 1.7.1+, but as long as the patches are outside of the official tree, we'll be playing catchup like this forever.
Saludos. Iñaki.
I don't mind rebasing the patches to current 1.7.1+, but as long as the patches are outside of the official tree, we'll be playing catchup like this forever.
Saludos. Iñaki.
I have downloaded patch for windows (from http://gnuwin32.sourceforge.net/packages/patch.htm), a copy of 1.7.1+ current as of today and the patch for 1.7.x from the bugtracker.
It seems patch for windows doesn't like the Unix end of line convention and aborts with a nice assertion. But I have opened the patch file in Wordpad, saved it as a 'MS-DOS Text File' (to convert it to MS-DOS end of line convention) and tried again. And it has worked like a charm (one of the hunks is applied successfully with an offset of 2 lines, but this is not a problem).
What I did:
1.- Download and extract patch for windows from above URL. I placed the patch.exe binary in C:\bin
2.- Download and extract Moodle somewhere. I placed it in C:\moodle-171
3.- Download the patch file and place it in the same directory you put Moodle (C:\moodle-171\password-policy-17.diff)
4.- Open the patch file with Wordpad, and click 'File' >> 'Save as...', choose a different name for the file (I used 'password-policy-17-dos.diff') and "Save as type" >> 'Text Document - MS-DOS Format'
5.- Open up a command text window, and type:
cd \moodle-171
c:\bin\patch.exe -p1 < password-policy-17-doc.diff
6.- You should get an output similar to this:
patching file admin/settings/security.php
patching file lang/en_utf8/admin.php
patching file lib/moodlelib.php
patching file login/change_password.php
patching file login/signup.php
patching file user/edit.php
Hunk #1 succeeded at 430 (offset 2 lines).
And that's it. In Linux you do much the same, but you don't need an external patch command binary (use the one that comes with your Linux distro) and you can skip step 4.
Saludos. Iñaki.
It seems patch for windows doesn't like the Unix end of line convention and aborts with a nice assertion. But I have opened the patch file in Wordpad, saved it as a 'MS-DOS Text File' (to convert it to MS-DOS end of line convention) and tried again. And it has worked like a charm (one of the hunks is applied successfully with an offset of 2 lines, but this is not a problem).
What I did:
1.- Download and extract patch for windows from above URL. I placed the patch.exe binary in C:\bin
2.- Download and extract Moodle somewhere. I placed it in C:\moodle-171
3.- Download the patch file and place it in the same directory you put Moodle (C:\moodle-171\password-policy-17.diff)
4.- Open the patch file with Wordpad, and click 'File' >> 'Save as...', choose a different name for the file (I used 'password-policy-17-dos.diff') and "Save as type" >> 'Text Document - MS-DOS Format'
5.- Open up a command text window, and type:
cd \moodle-171
c:\bin\patch.exe -p1 < password-policy-17-doc.diff
6.- You should get an output similar to this:
patching file admin/settings/security.php
patching file lang/en_utf8/admin.php
patching file lib/moodlelib.php
patching file login/change_password.php
patching file login/signup.php
patching file user/edit.php
Hunk #1 succeeded at 430 (offset 2 lines).
And that's it. In Linux you do much the same, but you don't need an external patch command binary (use the one that comes with your Linux distro) and you can skip step 4.
Saludos. Iñaki.
I thought WinMerge was quite good at applying patches... and it should handle unix newlines! That's what I used last time I was tied to a Windows machine (~6 years ago) 
Actually WinMerge will not apply patches but it can create a patch file from a comparison of two files. To apply patches in the Windows world you have to use the GnuWin32 patch program.
Hi All,
Need some help in applying the Quiz omr patch. I had followed the steps mentioned in the documentation available in moodle. But, i am facing some issues. I am very new to executing things from command prompt.
I am receiving the below screenshot when I try to apply the patch. Kindly help me.
Need some help in applying the Quiz omr patch. I had followed the steps mentioned in the documentation available in moodle. But, i am facing some issues. I am very new to executing things from command prompt.
I am receiving the below screenshot when I try to apply the patch. Kindly help me.
Hii i have done everything mention in da above post but still not able to apply patch..Please help me to find out where i m making a mistake in applying patch i have attached screenshot of my directory and file locations..!!!
Next i have downloaded my patch file and saved it into same directory in which i have saved my moodle files..!!
Errr.... why?
Moodle *has* password standards enforcing built in. If you are really still using Moodle 1.7.1 (as implied by your folder name) then you should upgrade - that version is ancient history (and was horribly buggy IIRC).
Moodle *has* password standards enforcing built in. If you are really still using Moodle 1.7.1 (as implied by your folder name) then you should upgrade - that version is ancient history (and was horribly buggy IIRC).
So wat should i do now how should i apply patch to my moodle site???
Please help..!!!
I m not using Moodle moodle 1.7.1 i m using latest version 2.0.3 i jst named dat folder moodle171 coz its mention in above instruction..!!!
Unless I am missing something.... stop now
1. Moodle 2.0.3 has the functionality required built in - you don't need this patch
2. Even if it didn't, there is NO WAY you can apply a patch from 1.7.something to Moodle 2.0.3. That's never going to work.
1. Moodle 2.0.3 has the functionality required built in - you don't need this patch
2. Even if it didn't, there is NO WAY you can apply a patch from 1.7.something to Moodle 2.0.3. That's never going to work.
Humm ok basically i want to generate report for quiz wats da best way to create custom quiz reports how i can do it???
Then explain why you are trying to apply an ancient patch to enforce password policy?
This is some sort of joke.... well, I hope it is
This is some sort of joke.... well, I hope it is
Lolz actually i was trying to apply quiz report analysis major patch to my moodle site...!!!
I want to generate Detailed report of quiz and Send it automatically to My students..!!!
I thought applying this quiz report analysis patch will help me generate more better report..!!!!
And i really dont know any thing about enforcing password policy standards...I think i made a mistake by posting wrong thing at the worng place..!!!!!
All i want to do is generate detailed report on my online quiz can u please help me with this???
I jst want to know wats da best way to generate detailed quiz reports??
I want something like this below ...!!!
It might be better to start again in the Quiz forum.
Patches are a VERY bad idea as they only work with a particular version of Moodle. It would help to say which patch you are using.
Most reports (in 2.0) are plugins. You don't need to patch, just unzip the code in the right place.
Are you sure the report you have is for Moodle 2.0? Please give a link to the report patch/plugin.
Patches are a VERY bad idea as they only work with a particular version of Moodle. It would help to say which patch you are using.
Most reports (in 2.0) are plugins. You don't need to patch, just unzip the code in the right place.
Are you sure the report you have is for Moodle 2.0? Please give a link to the report patch/plugin.
So which plugin i can use to generate the above report do u know n e good 1 i searchd alot but didnt get n e
Don't know. Ask in the quiz forum
Thanks for your posts about the patches. Hopefully, they can be committed to CVS soon and then we will not have to worry about it. I figured that there was some problem where I need to use unix2dos, dos2unix, etc. but I did not have a chance to troubleshoot it. Peace - Anthony
I went ahead and just read through the diff and applied the patches manually and quickly tested them on my test server for moodle_17_stable and they seem to work fine. Attached is a zip file of the changed files. Use it in so far as it is helpful. I just ran a CVS update so they should be patches for what is currently in CVS. Let me know if you have any troubles. I have found WinMerge a helpful tool when working in Windows and dealing with customizations. It really helped me to document well any custom changes I had made. I do hope that this gets in to CVS for either 1.7 or 1.8 (or both). You may wish to vote for MDL-8031. Thanks again to Iñaki for the wonderful work on this great patch. Peace - Anthony
Far better if you post your version of the patch, applied to 1.7. Could you do that?
The good thing about posting a patch is that it shows only those changes that you've made, so you can apply it to 1.7, 1.7.1, etc. If instead someone uses the zipped whole files on, for example, 1.7.2, they will probably _revert the whole file_ to the 1.7 version of the file, with your changes, undoing any bugfixes that applied to those files.
Patches are also immensely easier to review. You can read it and understand what is happening.
The good thing about posting a patch is that it shows only those changes that you've made, so you can apply it to 1.7, 1.7.1, etc. If instead someone uses the zipped whole files on, for example, 1.7.2, they will probably _revert the whole file_ to the 1.7 version of the file, with your changes, undoing any bugfixes that applied to those files.
Patches are also immensely easier to review. You can read it and understand what is happening.
Martin - It took me a little while to understand how to read the diff file but I think I get it. I agree that a patch is far more useful for those with experience; however, some of us with less experience were struggling with using diff and patch. I figured I would post the zip file to be used by those of us with less experience and only in so far as it is helpful. In so far as it is not helpful - avoid it. Iñaki has the patch files for 1.6, 1.7, and 1.8 (HEAD) attached in the tracker at MDL-8031. I simply went through and manually changed things since I could not get patch to patch. Peace.
What happened with MDL-8031 ? I can access MDL-8031 in the tracker...
I always get the error:
PERMISSION VIOLATION
|
I already browse tracker for improvements, but I can't find MDL-8031...
It looks like MDL-8031 was fixed today in CVS. You may want to test it out. Peace.
Hello Anthony, thanks for your answer.
"It looks like MDL-8031 was fixed today in CVS"
Are you sure? Because I tried last month with the same error...
Duarte - If you check in the tracker it indicates:
Petr Škoda - [26/Apr/07 03:38 AM ]
Petr Škoda - [26/Apr/07 03:38 AM ]
Fixed in cvs, thanks for the report. And even bigger for the patch.
I have added one more option: non-alphanumeric characters, moved the error messages into auth lang pack and updated the patch to fit current HEAD, the old settings are kept.
I have added one more option: non-alphanumeric characters, moved the error messages into auth lang pack and updated the patch to fit current HEAD, the old settings are kept.
Hello again Anthony,
"Duarte - If you check in the tracker it indicates:"
In the tracker, if I try to enter directly in MDL-8031 (from a link) I always get the same error.
The same if I search for MDL-8031.
If I browse the tracker I can't find the MDL-8031.
If I browse the tracker only for issues solved by Skoda I still don't find the MDL-8031.
Is strange...
But don't worry, if is in the CVS...
But tell me one thing: was fixed for which Moodle versions?
Beware, this is just available in HEAD (the current development version), but not in 1.8 or 1.7. If you need to use it in 1.7 or 1.6 you can use the patches I posted in the bug report. As for 1.8, the patch called password-policy-18dev.diff __might__ apply to 1.8 (but I have not tested it).
Saludos. Iñaki.
Saludos. Iñaki.
This is one thing that I don't understand in Moodle development...
The people are using Moodle versions 1.8, 1.7 and even 1.6.
This improvement is very useful but they only fixed for 1.9 (one version in development that most of the people don't use...)
> This is one thing that I don't understand in Moodle development...
I think the main problem here is lack of ressources. I suspect they have a limited set of paid staff to develop and maintain Moodle, and they have to choose between developing (and fixing) the latest versions, or backporting changes to older ones.
Saludos. Iñaki.
I think the main problem here is lack of ressources. I suspect they have a limited set of paid staff to develop and maintain Moodle, and they have to choose between developing (and fixing) the latest versions, or backporting changes to older ones.
Saludos. Iñaki.
>they have a limited set of paid staff to develop and maintain Moodle~
And with this lack of resources they are doing a very fine job!
But it seems that they are essentially focused in the development of new versions.
Remember me Microsoft strategy: every time we close and open the eyes they put in the market a new version of their products...
In this case is a useful improvement patch, but I already saw some bugs that the people found in Moodle 1.8 and they only fixed for 1.9...
If is always like that, Moodle never will have a full corrected or full stable version...
It seems to me that the right strategy should be: Bugs and very useful improvements must be fixed for the current stable version and for the next version; other improvements only for the next version.
This is only a suggestion from a simple Moodler...
But, like I said in the beginning: They are doing a fine job!
Iñaki,
I just tested it and:
- Works when the user is creating a new account;
- Don't work when the user change is password;
- Don't work when the administrator change the user password (here I noticed that 1.8 have now edit_form.php and editadvanced_form.php).
Gracias e Saludos
Duarte S.
Ok, here's a new version of the patch for 1.8. I've just rebased Petr Skodak's patch for 1.9dev, which applies cleanly on 1.8 (with a few offset warnings). This patch should apply cleanly to todays' 1.8+ version (2007021503).
Saludos. Iñaki.
Saludos. Iñaki.
Many thanks Iñaki,
You deserve a kiss! 
Saludos
Duarte S.
Hello again Iñaki,
I tested this new patch and it’s almost there....
The change_password_form.php is not working. The user can change his password and the new password not met the password policy settings.
Saludos
Duarte S.
Could you please tell me what new password you used to test it? And what password policy settings did you have?
All the tests I did enforced the policy settings every time.
Saludos. Iñaki.
All the tests I did enforced the policy settings every time.
Saludos. Iñaki.
Hello Iñaki,
Password policy:
Password Length minpasswordlength: 8
Digits minpassworddigits:1
Lowercase letters minpasswordlower:1
Uppercase letters minpasswordupper :1
Non-alphanumeric characters minpasswordnonalphanum:1
I tested changing the old password to this new password: 12345678
I think we are talking about the same form. The form displayed to the user after "Change Password" button:
Change password
Username user3
Current Password
New password
New password (again)
Yup! You are right!!!! It seems they changed the way login/change_password_form.php returned the errors from the form and Petr Skodak missed it (and so did I).
Just add a:
return $errors;
after the lines that read:
$errors['newpassword1'] = $errmsg;
$errors['newpassword2'] = $errmsg;
near the end of the file. That should do the trick
Btw, I've filed a bug for this: MDL-9654 (with a patch), just in case.
Saludos. Iñaki.
I tested again password-policy-18dev.diff in Moodle 1.8 and is not ful working...