Vulnerable Password

Authentication ::: auth_vulnerablepassword
Maintained by Josh Willcock
This Moodle plugin attempts to check HIBP's list of exposed passwords. Enabling your learners to be informed if their password has ever been involved in a data breach.
Latest release:
5 sites
3 fans
Current versions available: 1

Over the last few years Data Breaches have been in the news a lot. It is not surprising with such large platforms being targeted that many of our account details have made their way onto the dark web or end up pasted all over the internet. In an attempt to ensure our users accounts are safe, this plugin grabs the users password and without sending it to a third party checks if the password has been compromised. If the password has been compromised it will refer the user to a warning page on login, which they can then either change their password or continue to their original destination. This will occur every time the user logs in with the compromised password until they change it.


Screenshot #0
Screenshot #1


Josh Willcock (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS


  • Fri, Aug 3, 2018, 1:00 AM
    Approval issue created: CONTRIB-7411
  • Sat, Apr 13, 2019, 2:14 PM
    Hi Josh. This is a really interesting plugin. We have some users using SSO and others manual authentication. Also various cohorts handled separately.

    Is it possible for us to turn this function on and off for the various cohorts? Is it possible there could be an automatic alert for when a new breach is found?
  • Thu, Jan 2, 2020, 8:26 AM
    FYI we've publish an alternate plugin that tackles this differently as improvements to the password policy checks, which means it will also check HIBP for bad passwords when setting or changing passwords:

    See also this tracker which will also enforce the password policy on login, not just password change:
Please login to post comments