If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Security:Brute-forcing login

From MoodleDocs

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!

This page forms part of the Moodle security guidelines.

What is the danger?

Evil Hacker wants to break into your Moodle site by stealing the account of a registered user.

They write a script that automatically tries logging in with a range of common passwords, for example, admin/admin, admin/apple, admin/1234, .... It only takes one user with we weak password that Evil Hacker can guess, and your site is compromised.

How Moodle avoids this problem

A lockout system is present in 2.5 onwards, you just need to turn it on at Administration > Site administration > Security > Site policies ... Account lockout threshold

Moodle also counts failed login attempts, and can alert the administrator by email when there are too many.

There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters.

What you need to do in your code

  • If you are writing an authentication plugin, ensure that all failed logins are logged correctly.

What you need to do as an administrator

  • Consider turning on the options for reporting login failures.
  • Consider turning on the settings that ensure password complexity.

See also