Is it possible to setup and/or enforce password standards in Moodle with manual accounts only? For example, specifying that a password be a certain length, contain at least one number, etc. How have Moodle admins assured that the passwords used or of a sufficient complexity? I have read about LDAP and using LDAP to enforce passwords but I was wondering if there are other methods that folks have implemented.
You can patch .../login/change_password.php to enforce any restrictions you want in your users' passwords. Just add any suitable checks to function validate_form() after the new passwords have been checked to be equal between them (remember you have to type the new password twice) and different to the current password.
Say you want your passwords to be at least 8 characters long, have at least 1 digit, 1 upper case letter and 1 lowecase letter. You could do something like this:
define ('MIN_PWD_LEN', 8);
define ('MIN_DIGITS', 1);
define ('MIN_LOWER', 1);
define ('MIN_UPPER', 1);
if (strlen($frm->newpassword1) < MIN_PWD_LEN) {
newpassword1 = 'Passwords must be at least ' .
MIN_PWD_LEN . ' characters long';
}
if (preg_match_all('/[:digit:]/u', $frm->newpassword1, $matches) < MIN_DIGITS) {
newpassword1 = 'Passwords must have at least ' .
MIN_DIGITS . ' digit(s)';
}
if (preg_match_all('/[:lower:]/u', $frm->newpassword1, $matches) < MIN_LOWER) {
newpassword1 = 'Passwords must have at least ' .
MIN_LOWER . ' lower case letter(s)';
}
if (preg_match_all('/[:upper:]/u', $frm->newpassword1, $matches) < MIN_UPPER) {
newpassword1 = 'Passwords must have at least '.
MIN_UPPER . ' upper case letter(s)';
}
Saludos. Iñaki.
Good one! There's PHP / PECL extention for cracklib too. It'd be a great thing to add to the mix: detect if cracklib is installed, an run crack_check(). More info at http://www.php.net/crack
Does any one think I should create a feature request to include Iñaki's code and its increased functionality? It would involve adding an option to enforce password requirements. I think it would be a powerful addition. The next step would be more involved and would be to enforce length of time that a password is active but that would involve a change to the database (password_last_updated). Any thoughts as to what should be done to allow administrators the tools needed to ensure the security of Moodle passwords? I think Iñaki's code is a major step in the right direction. Peace.
Humm, I've had a look at it and while useful, I'm a bit wary of using that extension. First off, there is a note at the top of http://www.php.net/crack saying:
Even if this doesn't sound that bad (just download it and compile it yourself), there is this too at http://www.php.net/manual/en/function.crack-check.php:
Saludos. Iñaki.
Note: This extension has been moved to the PECL repository and is no longer bundled with PHP as of PHP 5.0.0.
Even if this doesn't sound that bad (just download it and compile it yourself), there is this too at http://www.php.net/manual/en/function.crack-check.php:
Warning
This function is EXPERIMENTAL. The behaviour of this function, the name of this function, and anything else documented about this function may change without notice in a future release of PHP. Use this function at your own risk.
Which leaves me with a bad feeling.Saludos. Iñaki.
Like always, a very useful functionality created by Iñaki. Many thanks.
Two questions:
- Iñaki, can you send a patch file with this code?
- This code is only applied when the user tries to change the password. But, is not more useful to be applied when the user create is account? signup.php ??
Thanks and a happy new year for all
Duarte S.
And now for the real patch, with GUI integration, language support and all the goodies you'd expect from Moodle 
I've integrated the password policy mechanism in all the places where passwords are set/changed (unless I forgot something): when a new account is created, upon password change and when the admin changes a user's password.
Password policy is switchable (on/off) and somewhat configurable via Administration >> Configuration >> Variables >> Security.
Have fun and report back any bugs you find
Ooops! I almost forgot. The patch is for 1.6.3+, I'll cook one for 1.7 and HEAD in a few hours (it's coffe time here and I'm on holiday
)
Saludos. Iñaki.
Password policy is switchable (on/off) and somewhat configurable via Administration >> Configuration >> Variables >> Security.
Have fun and report back any bugs you find
Ooops! I almost forgot. The patch is for 1.6.3+, I'll cook one for 1.7 and HEAD in a few hours (it's coffe time here and I'm on holiday
Saludos. Iñaki.
Hello everybody,
I am new to Moodle but am rapidly getting up to speed on this powerful tool.
Background - I was asked to take over the administration of a pilot project that was running Moodle 1.52 under EasyPHP and MySQL4. I have successfully migrated the platform to IIS/PHP5/MySQL5/Moodle1.7, and all data is preserved and I am ready to launch the 1.7 version of the portal as the next phase of the pilot project.
Anyhow, I would very much like to add in this functionality to implement password restrictions, but am not sure how to integrate a .diff file (it has been a few years since I worked in a shop that uses a CVS, and I did not use the CVS checkout method to install Moodle, only the downloaded ZIP file). Am also unsure whether the 1.7 version of the patch was completed or not based on the replies above. I cannot find the feature anywhere in the 1.7 configuration pages on my Moodle installation.
Can anyone help me out and let me know how I could get this feature enabled? It sounds perfect for what we need.
Thanks,
Paul Weston
I too had a hard time applying the patches perhaps Iñaki might be willing to upload a zipped version of the patched files??? I kept getting an error that the hunks failed and I am just learning how to work with diffs and patches. Peace.
patching file admin/settings/security.php
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED -- saving rejects to file admin/settings/security.php.rej
patching file lang/en_utf8/admin.php
Hunk #1 FAILED at 461.
1 out of 1 hunk FAILED -- saving rejects to file lang/en_utf8/admin.php.rej
patching file lib/moodlelib.php
Hunk #1 FAILED at 6736.
1 out of 1 hunk FAILED -- saving rejects to file lib/moodlelib.php.rej
patching file login/change_password.php
Hunk #1 FAILED at 168.
1 out of 1 hunk FAILED -- saving rejects to file login/change_password.php.rej
patching file login/signup.php
Hunk #1 FAILED at 112.
1 out of 1 hunk FAILED -- saving rejects to file login/signup.php.rej
patching file user/edit.php
Hunk #1 FAILED at 428.
1 out of 1 hunk FAILED -- saving rejects to file user/edit.php.rej
patching file admin/settings/security.php
Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED -- saving rejects to file admin/settings/security.php.rej
patching file lang/en_utf8/admin.php
Hunk #1 FAILED at 461.
1 out of 1 hunk FAILED -- saving rejects to file lang/en_utf8/admin.php.rej
patching file lib/moodlelib.php
Hunk #1 FAILED at 6736.
1 out of 1 hunk FAILED -- saving rejects to file lib/moodlelib.php.rej
patching file login/change_password.php
Hunk #1 FAILED at 168.
1 out of 1 hunk FAILED -- saving rejects to file login/change_password.php.rej
patching file login/signup.php
Hunk #1 FAILED at 112.
1 out of 1 hunk FAILED -- saving rejects to file login/signup.php.rej
patching file user/edit.php
Hunk #1 FAILED at 428.
1 out of 1 hunk FAILED -- saving rejects to file user/edit.php.rej
Patches were based on the current 1.7.x+ version at the time I made them. If you don't use the same version, some hunks (each piece of the patch) may fail. But having all the hunks fail is something really strange.
I don't mind rebasing the patches to current 1.7.1+, but as long as the patches are outside of the official tree, we'll be playing catchup like this forever.
Saludos. Iñaki.
I don't mind rebasing the patches to current 1.7.1+, but as long as the patches are outside of the official tree, we'll be playing catchup like this forever.
Saludos. Iñaki.
I have downloaded patch for windows (from http://gnuwin32.sourceforge.net/packages/patch.htm), a copy of 1.7.1+ current as of today and the patch for 1.7.x from the bugtracker.
It seems patch for windows doesn't like the Unix end of line convention and aborts with a nice assertion. But I have opened the patch file in Wordpad, saved it as a 'MS-DOS Text File' (to convert it to MS-DOS end of line convention) and tried again. And it has worked like a charm (one of the hunks is applied successfully with an offset of 2 lines, but this is not a problem).
What I did:
1.- Download and extract patch for windows from above URL. I placed the patch.exe binary in C:\bin
2.- Download and extract Moodle somewhere. I placed it in C:\moodle-171
3.- Download the patch file and place it in the same directory you put Moodle (C:\moodle-171\password-policy-17.diff)
4.- Open the patch file with Wordpad, and click 'File' >> 'Save as...', choose a different name for the file (I used 'password-policy-17-dos.diff') and "Save as type" >> 'Text Document - MS-DOS Format'
5.- Open up a command text window, and type:
cd \moodle-171
c:\bin\patch.exe -p1 < password-policy-17-doc.diff
6.- You should get an output similar to this:
patching file admin/settings/security.php
patching file lang/en_utf8/admin.php
patching file lib/moodlelib.php
patching file login/change_password.php
patching file login/signup.php
patching file user/edit.php
Hunk #1 succeeded at 430 (offset 2 lines).
And that's it. In Linux you do much the same, but you don't need an external patch command binary (use the one that comes with your Linux distro) and you can skip step 4.
Saludos. Iñaki.
It seems patch for windows doesn't like the Unix end of line convention and aborts with a nice assertion. But I have opened the patch file in Wordpad, saved it as a 'MS-DOS Text File' (to convert it to MS-DOS end of line convention) and tried again. And it has worked like a charm (one of the hunks is applied successfully with an offset of 2 lines, but this is not a problem).
What I did:
1.- Download and extract patch for windows from above URL. I placed the patch.exe binary in C:\bin
2.- Download and extract Moodle somewhere. I placed it in C:\moodle-171
3.- Download the patch file and place it in the same directory you put Moodle (C:\moodle-171\password-policy-17.diff)
4.- Open the patch file with Wordpad, and click 'File' >> 'Save as...', choose a different name for the file (I used 'password-policy-17-dos.diff') and "Save as type" >> 'Text Document - MS-DOS Format'
5.- Open up a command text window, and type:
cd \moodle-171
c:\bin\patch.exe -p1 < password-policy-17-doc.diff
6.- You should get an output similar to this:
patching file admin/settings/security.php
patching file lang/en_utf8/admin.php
patching file lib/moodlelib.php
patching file login/change_password.php
patching file login/signup.php
patching file user/edit.php
Hunk #1 succeeded at 430 (offset 2 lines).
And that's it. In Linux you do much the same, but you don't need an external patch command binary (use the one that comes with your Linux distro) and you can skip step 4.
Saludos. Iñaki.
Hi All,
Need some help in applying the Quiz omr patch. I had followed the steps mentioned in the documentation available in moodle. But, i am facing some issues. I am very new to executing things from command prompt.
I am receiving the below screenshot when I try to apply the patch. Kindly help me.
Need some help in applying the Quiz omr patch. I had followed the steps mentioned in the documentation available in moodle. But, i am facing some issues. I am very new to executing things from command prompt.
I am receiving the below screenshot when I try to apply the patch. Kindly help me.
Lolz actually i was trying to apply quiz report analysis major patch to my moodle site...!!!
I want to generate Detailed report of quiz and Send it automatically to My students..!!!
I thought applying this quiz report analysis patch will help me generate more better report..!!!!
And i really dont know any thing about enforcing password policy standards...I think i made a mistake by posting wrong thing at the worng place..!!!!!
All i want to do is generate detailed report on my online quiz can u please help me with this???
I jst want to know wats da best way to generate detailed quiz reports??
I want something like this below ...!!!
It might be better to start again in the Quiz forum.
Patches are a VERY bad idea as they only work with a particular version of Moodle. It would help to say which patch you are using.
Most reports (in 2.0) are plugins. You don't need to patch, just unzip the code in the right place.
Are you sure the report you have is for Moodle 2.0? Please give a link to the report patch/plugin.
Patches are a VERY bad idea as they only work with a particular version of Moodle. It would help to say which patch you are using.
Most reports (in 2.0) are plugins. You don't need to patch, just unzip the code in the right place.
Are you sure the report you have is for Moodle 2.0? Please give a link to the report patch/plugin.
I went ahead and just read through the diff and applied the patches manually and quickly tested them on my test server for moodle_17_stable and they seem to work fine. Attached is a zip file of the changed files. Use it in so far as it is helpful. I just ran a CVS update so they should be patches for what is currently in CVS. Let me know if you have any troubles. I have found WinMerge a helpful tool when working in Windows and dealing with customizations. It really helped me to document well any custom changes I had made. I do hope that this gets in to CVS for either 1.7 or 1.8 (or both). You may wish to vote for MDL-8031. Thanks again to Iñaki for the wonderful work on this great patch. Peace - Anthony
Far better if you post your version of the patch, applied to 1.7. Could you do that?
The good thing about posting a patch is that it shows only those changes that you've made, so you can apply it to 1.7, 1.7.1, etc. If instead someone uses the zipped whole files on, for example, 1.7.2, they will probably _revert the whole file_ to the 1.7 version of the file, with your changes, undoing any bugfixes that applied to those files.
Patches are also immensely easier to review. You can read it and understand what is happening.
The good thing about posting a patch is that it shows only those changes that you've made, so you can apply it to 1.7, 1.7.1, etc. If instead someone uses the zipped whole files on, for example, 1.7.2, they will probably _revert the whole file_ to the 1.7 version of the file, with your changes, undoing any bugfixes that applied to those files.
Patches are also immensely easier to review. You can read it and understand what is happening.
Martin - It took me a little while to understand how to read the diff file but I think I get it. I agree that a patch is far more useful for those with experience; however, some of us with less experience were struggling with using diff and patch. I figured I would post the zip file to be used by those of us with less experience and only in so far as it is helpful. In so far as it is not helpful - avoid it. Iñaki has the patch files for 1.6, 1.7, and 1.8 (HEAD) attached in the tracker at MDL-8031. I simply went through and manually changed things since I could not get patch to patch. Peace.
What happened with MDL-8031 ? I can access MDL-8031 in the tracker...
I always get the error:
PERMISSION VIOLATION
|
I already browse tracker for improvements, but I can't find MDL-8031...
Duarte - If you check in the tracker it indicates:
Petr Škoda - [26/Apr/07 03:38 AM ]
Petr Škoda - [26/Apr/07 03:38 AM ]
Fixed in cvs, thanks for the report. And even bigger for the patch.
I have added one more option: non-alphanumeric characters, moved the error messages into auth lang pack and updated the patch to fit current HEAD, the old settings are kept.
I have added one more option: non-alphanumeric characters, moved the error messages into auth lang pack and updated the patch to fit current HEAD, the old settings are kept.
Hello again Anthony,
"Duarte - If you check in the tracker it indicates:"
In the tracker, if I try to enter directly in MDL-8031 (from a link) I always get the same error.
The same if I search for MDL-8031.
If I browse the tracker I can't find the MDL-8031.
If I browse the tracker only for issues solved by Skoda I still don't find the MDL-8031.
Is strange...
But don't worry, if is in the CVS...
But tell me one thing: was fixed for which Moodle versions?
Beware, this is just available in HEAD (the current development version), but not in 1.8 or 1.7. If you need to use it in 1.7 or 1.6 you can use the patches I posted in the bug report. As for 1.8, the patch called password-policy-18dev.diff __might__ apply to 1.8 (but I have not tested it).
Saludos. Iñaki.
Saludos. Iñaki.
> This is one thing that I don't understand in Moodle development...
I think the main problem here is lack of ressources. I suspect they have a limited set of paid staff to develop and maintain Moodle, and they have to choose between developing (and fixing) the latest versions, or backporting changes to older ones.
Saludos. Iñaki.
I think the main problem here is lack of ressources. I suspect they have a limited set of paid staff to develop and maintain Moodle, and they have to choose between developing (and fixing) the latest versions, or backporting changes to older ones.
Saludos. Iñaki.
>they have a limited set of paid staff to develop and maintain Moodle~
And with this lack of resources they are doing a very fine job!
But it seems that they are essentially focused in the development of new versions.
Remember me Microsoft strategy: every time we close and open the eyes they put in the market a new version of their products...
In this case is a useful improvement patch, but I already saw some bugs that the people found in Moodle 1.8 and they only fixed for 1.9...
If is always like that, Moodle never will have a full corrected or full stable version...
It seems to me that the right strategy should be: Bugs and very useful improvements must be fixed for the current stable version and for the next version; other improvements only for the next version.
This is only a suggestion from a simple Moodler...
But, like I said in the beginning: They are doing a fine job!
Iñaki,
I just tested it and:
- Works when the user is creating a new account;
- Don't work when the user change is password;
- Don't work when the administrator change the user password (here I noticed that 1.8 have now edit_form.php and editadvanced_form.php).
Gracias e Saludos
Duarte S.
Ok, here's a new version of the patch for 1.8. I've just rebased Petr Skodak's patch for 1.9dev, which applies cleanly on 1.8 (with a few offset warnings). This patch should apply cleanly to todays' 1.8+ version (2007021503).
Saludos. Iñaki.
Saludos. Iñaki.
Hello Iñaki,
Password policy:
Password Length minpasswordlength: 8
Digits minpassworddigits:1
Lowercase letters minpasswordlower:1
Uppercase letters minpasswordupper :1
Non-alphanumeric characters minpasswordnonalphanum:1
I tested changing the old password to this new password: 12345678
I think we are talking about the same form. The form displayed to the user after "Change Password" button:
Change password
Username user3
Current Password
New password
New password (again)
Yup! You are right!!!! It seems they changed the way login/change_password_form.php returned the errors from the form and Petr Skodak missed it (and so did I).
Just add a:
return $errors;
after the lines that read:
$errors['newpassword1'] = $errmsg;
$errors['newpassword2'] = $errmsg;
near the end of the file. That should do the trick
Btw, I've filed a bug for this: MDL-9654 (with a patch), just in case.
Saludos. Iñaki.