Moodle Plugins directory: Compromised password blocking | Moodle.org

Compromised password blocking
Administration tools ::: tool_mupwned
Maintained by
Petr Skoda
Compromised password blocking using Have I Been Pwned database, part of MuTMS suite of plugins.
Latest release:
1 sites
13 downloads
2 fans
Current versions available: 1
Compromised passwords blocking plugin for Moodle™ LMS
This Moodle plugin strengthens account security by adding a site‑wide setting that checks user passwords both when they are created or updated and optionally during every login. It verifies passwords against the Have I Been Pwned database of known breaches, using the anonymous (k‑Anonymity) API mode so the full password is never sent outside Moodle. If a compromised password is detected at any of these points, the user is blocked from proceeding until they reset their password to a safer alternative. This continuous verification helps prevent account access with credentials exposed in past breaches and reduces the risk of account takeover.
Configuration steps
- Install plugin.
- Log in as admin - make sure you can reset your own administrator password via email if necessary.
- Enable "Password policy" setting and review password requirements.
- Enable "Check password on login" setting.
- Navigate to "Site administration / Plugins / Authentication / Compromised password blocking" settings page.
- Enable "Detect compromised passwords".
- If anything goes wrong you can also reset passwords from CLI, see /admin/cli/reset_password.php
Useful links
Contributors
Petr Skoda (Lead maintainer)
Please login to view contributors details and/or to contact them
Comments