08451 707 702 info@charitylearning.org

Moodle Impossible: Vulnerable Passwords

It’s never been more important to protect learners’ data. Josh Willcock explains how a ground breaking new plug-in for our learning management system helps keep passwords secure.

Data breaches consistently hit the news headlines, with even large, traditionally secure organisations like banks being targeted. So it’s not surprising that personal and account details can make their way either secretly on to the dark web or posted openly on to the internet.

Here at the Charity Learning Consortium we provide eLearning to approximately 2 million staff and volunteers, through more than 135 charitable organisations. That’s a lot of data! So we’re constantly finding new and innovative ways to guarantee that it stays safe.

A new little Moodle plugin that I’ve created looks at users passwords and  – crucially, without sending any information to a third party – checks to see if they have been compromised. If so, it will alert the user and ask them to change their password and will keep flagging up alerts until they do so.

The idea itself isn’t new, but I believe that it’s the first time that a plugin like this has been created for a learning management system (LMS). It’s a neat little piece of free, open source code to use with Moodle. In this way, collaboration between developers helps everyone stay ahead of technological changes. At the Consortium, collaboration is at the heart of everything that we do, so please do pass this on to anyone else that you think might benefit from using it.



You can download the plugin from: https://github.com/joshwillcock/moodle-auth_vulnerablepassword

If you’re a member of the Consortium, you should have already received some information directly from us with instructions as to how to upload and use this plug-in.


Further details

I’ve integrated the plug-in with Have I Been Pwned a public service created by Troy Hunt . Have I Been Pwned allows you to check if your details appear on any leaked lists. If your username or password appear on a list of over five billion accounts from over 300 leaked sources the platform will be able to tell you. Anyone can use Have I Been Pwned to check any of their email accounts.


How does this work?

It’s critical that passwords to be validated are not sent to a third party. When you provide your password, it’s encrypted using a method called SHA-1

As an example the password ‘Password123’ will be encrypted as b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1.

In this example, the plugin initially asks for any passwords which start with b2e98, and then double checks the remaining 35 characters to see if the precise password appears on any lists of compromised data. All this is done in about half a second, and without your password leaving the LMS.



This plugin uses the Have I Been Pwned API created by Troy Hunt. This idea was based from a similar WordPress project by Wordfence.

This plugin has been created by Josh Willcock for the members of The Charity Learning Consortium.

“I’ve read the article, what’s the next step?”


Read about earlier developments Josh has made here:



About the author

Josh is the Head of Technology at the Charity Learning Consortium. Fuelled by coffee and custard creams, he’s now looking for his next impossible project. Connect with him on Twitter @Josh_Willcock.

Read more from the CLC…

Four great reasons to visit Learning Technologies in 2019

This year Learning Technologies – the biggest learning event in Europe – moves to ExCeL and is all set to be bigger and better than ever before. Here are four reasons why you should make time to visit on 13 & 14 February.

The LMS that has it all

Lou Guy developed such an impressive learning management system at the Teach First education charity that she won a Charity Learning Award for her work. We caught up with her before she left Teach First to join Baringa.

Rewiring your mindset

Liggy Webb shares seven steps to cultivate a 21st century mindset. In a rapidly evolving world that heavily relies on an ability to adapt it’s important to be aware that you can choose and change your mindset.

Collaboration: It’s all about trust

Collaboration: It's all about trust Phil Maynard, the Top Community Contributor in the Charity Learning Awards, says great collaboration means making yourself vulnerable, and that takes trust. Read on for his advice on making the most of collaboration. What have been...

Charity Learning annual conference 2018 review

Charity Learning annual conference review Bob Little outlines highlights, along with some hints and tips that he drew from the Charity Learning Consortium annual conference This year’s annual Conference for members of the Charity Learning Consortium (CLC) took place...

Don’t let your staff pay the price of success

Don’t let your staff pay the price of success Before you launch #UKCharityWeek spare a thought for how you will support your staff and volunteers, says Martin Baker of the Charity Learning Consortium, as demand for your services may increase as a result of raising...

CL Consortium Ltd
Vine House, Selsley Road,
Stroud, GL5 5NN