Security:Brute-forcing login: Difference between revisions
Dev Docs Bot (talk | contribs) m (Protected "Security:Brute-forcing login": Developer Docs Migration ([Edit=Allow only administrators] (indefinite))) |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Template:Migrated|newDocId=/general/development/policies/security/bruteforcing-login}} | |||
This page forms part of the [[Security|Moodle security guidelines]]. | This page forms part of the [[Security|Moodle security guidelines]]. | ||
Line 9: | Line 10: | ||
==How Moodle avoids this problem== | ==How Moodle avoids this problem== | ||
A lockout system is present in 2.5 onwards, you just need to turn it on at Administration > Site administration > Security > Site policies ... Account lockout threshold | |||
Moodle counts failed login attempts, and can alert the administrator by email when there are too many. | Moodle also counts failed login attempts, and can alert the administrator by email when there are too many. | ||
There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters. | There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters. | ||
==What you need to do in your code== | ==What you need to do in your code== |
Latest revision as of 07:27, 6 May 2022
Important:
This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date. Why not view this page on the new site and help us to migrate more content to the new site! |
This page forms part of the Moodle security guidelines.
What is the danger?
Evil Hacker wants to break into your Moodle site by stealing the account of a registered user.
They write a script that automatically tries logging in with a range of common passwords, for example, admin/admin, admin/apple, admin/1234, .... It only takes one user with we weak password that Evil Hacker can guess, and your site is compromised.
How Moodle avoids this problem
A lockout system is present in 2.5 onwards, you just need to turn it on at Administration > Site administration > Security > Site policies ... Account lockout threshold
Moodle also counts failed login attempts, and can alert the administrator by email when there are too many.
There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters.
What you need to do in your code
- If you are writing an authentication plugin, ensure that all failed logins are logged correctly.
What you need to do as an administrator
- Consider turning on the options for reporting login failures.
- Consider turning on the settings that ensure password complexity.