Security:Brute-forcing login

From MoodleDocs

This page forms part of the Moodle security guidelines.

What is the danger?

Evil Hacker wants to break into your Moodle site by stealing the account of a registered user.

They write a script that automatically tries logging in with a range of common passwords, for example, admin/admin, admin/apple, admin/1234, .... It only takes one user with we weak password that Evil Hacker can guess, and your site is compromised.


How Moodle avoids this problem

A lockout system is present in 2.5 onwards, you just need to turn it on at Administration > Site administration > Security > Site policies ... Account lockout threshold

Moodle also counts failed login attempts, and can alert the administrator by email when there are too many.

There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters.

What you need to do in your code

  • If you are writing an authentication plugin, ensure that all failed logins are logged correctly.


What you need to do as an administrator

  • Consider turning on the options for reporting login failures.
  • Consider turning on the settings that ensure password complexity.


See also