Security:Brute-forcing login
Important:
This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date. Why not view this page on the new site and help us to migrate more content to the new site! |
This page forms part of the Moodle security guidelines.
What is the danger?
Evil Hacker wants to break into your Moodle site by stealing the account of a registered user.
They write a script that automatically tries logging in with a range of common passwords, for example, admin/admin, admin/apple, admin/1234, .... It only takes one user with we weak password that Evil Hacker can guess, and your site is compromised.
How Moodle avoids this problem
A lockout system is present in 2.5 onwards, you just need to turn it on at Administration > Site administration > Security > Site policies ... Account lockout threshold
Moodle also counts failed login attempts, and can alert the administrator by email when there are too many.
There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters.
What you need to do in your code
- If you are writing an authentication plugin, ensure that all failed logins are logged correctly.
What you need to do as an administrator
- Consider turning on the options for reporting login failures.
- Consider turning on the settings that ensure password complexity.