Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Security:Brute-forcing login

From MoodleDocs
Revision as of 12:17, 6 November 2009 by Tim Hunt (talk | contribs) (New page: This page forms part of the Moodle security guidelines. ==What is the danger?== Evil Hacker wants to break into your Moodle site by stealing the account of a reg...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page forms part of the Moodle security guidelines.

What is the danger?

Evil Hacker wants to break into your Moodle site by stealing the account of a registered user.

They write a script that automatically tries logging in with a range of common passwords, for example, admin/admin, admin/apple, admin/1234, .... It only takes one user with we weak password that Evil Hacker can guess, and your site is compromised.


How Moodle avoids this problem

Moodle counts failed login attempts, and can alert the administrator by email when there are too many.

There are admin settings to enforce a minimum level of complexity for passwords, for example, by insisting on a minimum number of characters.


What you need to do in your code

  • If you are writing an authentication plugin, ensure that all failed logins are logged correctly.


What you need to do as an administrator

  • Consider turning on the options for reporting login failures.
  • Consider turning on the settings that ensure password complexity.


See also

Template:CategoryDeveloper

Retrieved from "https://docs.moodle.org/dev/index.php?title=Security:Brute-forcing_login&oldid=16234"
Powered by MediaWiki