It is highly recommended that a password policy is set in Administration > Security > Site policies to force users to use stronger passwords that are less susceptible to being cracked by a intruder.
In Moodle 1.9.7 onwards the password policy is enabled by default.
The password policy includes option to set the minimum length of the password, the minimum number of digits, the minimum number of lowercase characters, the minimum number of uppercase characters and the minimum number of non alphanumeric characters.
Default password policy settings are:
- Password length - 8
- Digits - 1
- Lowercase letters - 1
- Uppercase letters - 1
- Non-alphanumeric characters - 1
If a user enters a password that does not meet the requirements, they are given an error message indicating the nature of the problem with the entered password.
- Tip: To reduce the chance of md5 lookup attack, passwords should have at least 8 characters and contain at least one number, at least one lowercase letter, at least one uppercase letter and at least one non-alphanumeric character.
Enabling the password policy does not affect existing users until they decide to or are required to change their password. In Moodle 1.9.7 onwards, an admin can force all users to change their password using the force password change option in Bulk user actions.
- Tip: In Moodle 1.9.4 onwards, the password policy may also be applied to enrolment keys by setting enrol_manual_usepasswordpolicy to Yes in the Internal enrolment settings.