Data breaches consistently hit the news headlines, with even large, traditionally secure organisations like banks being targeted. So it’s not surprising that personal and account details can make their way either secretly on to the dark web or posted openly on to the internet. Here at the Charity Learning Consortium we provide eLearning to approximately 2 million staff and volunteers, through more than 135 charitable organisations. That’s a lot of data! So we’re constantly finding new and innovative ways to guarantee that it stays safe. A new little Moodle plugin that I’ve created looks at users passwords and – crucially, without sending any information to a third party – checks to see if they have been compromised. If so, it will alert the user and ask them to change their password and will keep flagging up alerts until they do so. The idea itself isn’t new, but I believe that it’s the first time that a plugin like this has been created for a learning management system (LMS). It’s a neat little piece of free, open source code to use with Moodle. In this way, collaboration between developers helps everyone stay ahead of technological changes. At the Consortium, collaboration is at the heart of everything that we do, so please do pass this on to anyone else that you think might benefit from using it.
InstallationYou can download the plugin from: https://github.com/joshwillcock/moodle-auth_vulnerablepassword If you’re a member of the Consortium, you should have already received some information directly from us with instructions as to how to upload and use this plug-in.
Further detailsI’ve integrated the plug-in with Have I Been Pwned a public service created by Troy Hunt . Have I Been Pwned allows you to check if your details appear on any leaked lists. If your username or password appear on a list of over five billion accounts from over 300 leaked sources the platform will be able to tell you. Anyone can use Have I Been Pwned to check any of their email accounts.
How does this work?It’s critical that passwords to be validated are not sent to a third party. When you provide your password, it’s encrypted using a method called SHA-1 As an example the password ‘Password123’ will be encrypted as b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1. In this example, the plugin initially asks for any passwords which start with b2e98, and then double checks the remaining 35 characters to see if the precise password appears on any lists of compromised data. All this is done in about half a second, and without your password leaving the LMS.
AcknowledgementsThis plugin uses the Have I Been Pwned API created by Troy Hunt. This idea was based from a similar WordPress project by Wordfence. This plugin has been created by Josh Willcock for the members of The Charity Learning Consortium.
Read more from the CLC…