Moodle Plugins directory: Compromised password blocking | Moodle.org
Compromised password blocking
Checks passwords against the Have I Been Pwned database of known breaches when passwords are created, updated, or optionally on every login. Uses the k-Anonymity API — the full password is never sent outside Moodle. Users with a compromised password are blocked until they reset it, reducing the risk of account takeover through credentials exposed in past breaches.
Features
- Checks passwords on creation and update
- Optional check on every login
- k-Anonymity API — no full password ever leaves Moodle
- Blocks access until a compromised password is replaced
Configuration steps
- Install plugin
- Log in as admin - make sure you can reset your own administrator password via email if necessary
- Enable "Password policy" setting and review password requirements
- Enable "Check password on login" setting
- Navigate to "Site administration / Plugins / Authentication / Compromised password blocking" settings page
- Enable "Detect compromised passwords"
- If anything goes wrong you can also reset passwords from CLI, see /admin/cli/reset_password.php
Comments