Compromised password blocking

Administration tools ::: tool_mupwned
Maintained by Petr Skoda
Compromised password blocking using Have I Been Pwned database, part of MuTMS suite of plugins.
Latest release:
1 sites
13 downloads
2 fans
Current versions available: 1

Compromised passwords blocking plugin for Moodle™ LMS

Moodle Plugin CI

This Moodle plugin strengthens account security by adding a site‑wide setting that checks user passwords both when they are created or updated and optionally during every login. It verifies passwords against the Have I Been Pwned database of known breaches, using the anonymous (k‑Anonymity) API mode so the full password is never sent outside Moodle. If a compromised password is detected at any of these points, the user is blocked from proceeding until they reset their password to a safer alternative. This continuous verification helps prevent account access with credentials exposed in past breaches and reduces the risk of account takeover.

Configuration steps

  1. Install plugin.
  2. Log in as admin - make sure you can reset your own administrator password via email if necessary.
  3. Enable "Password policy" setting and review password requirements.
  4. Enable "Check password on login" setting.
  5. Navigate to "Site administration / Plugins / Authentication / Compromised password blocking" settings page.
  6. Enable "Detect compromised passwords".
  7. If anything goes wrong you can also reset passwords from CLI, see /admin/cli/reset_password.php

Screenshots

Screenshot #0

Contributors

Petr Skoda (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
Please login to post comments