Security:Brute-forcing login

Jump to: navigation, search

This page forms part of the Moodle security guidelines.

What is the danger?

Evil Hacker wants to break into your Moodle site by stealing the account of a registered user.

They write a script that automatically tries logging in with a range of common passwords, for example, admin/admin, admin/apple, admin/1234, .... It only takes one user with we weak password that Evil Hacker can guess, and your site is compromised.


How Moodle avoids this problem

A lockout system is present in 2.5 onwards, you just need to turn it on at Administration > Site administration > Security > Site policies ... Account lockout threshold

Moodle also counts failed login attempts, and can alert the administrator by email when there are too many.

There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters.

What you need to do in your code

  • If you are writing an authentication plugin, ensure that all failed logins are logged correctly.


What you need to do as an administrator

  • Consider turning on the options for reporting login failures.
  • Consider turning on the settings that ensure password complexity.


See also