Moodle Impossible: Vulnerable Passwords

It’s never been more important to protect learners’ data. Josh Willcock explains how a ground breaking new plug-in for our learning management system helps keep passwords secure.

Data breaches consistently hit the news headlines, with even large, traditionally secure organisations like banks being targeted. So it’s not surprising that personal and account details can make their way either secretly on to the dark web or posted openly on to the internet.

Here at the Charity Learning Consortium we provide eLearning to approximately 2 million staff and volunteers, through more than 135 charitable organisations. That’s a lot of data! So we’re constantly finding new and innovative ways to guarantee that it stays safe.

A new little Moodle plugin that I’ve created looks at users passwords and  – crucially, without sending any information to a third party – checks to see if they have been compromised. If so, it will alert the user and ask them to change their password and will keep flagging up alerts until they do so.

The idea itself isn’t new, but I believe that it’s the first time that a plugin like this has been created for a learning management system (LMS). It’s a neat little piece of free, open source code to use with Moodle. In this way, collaboration between developers helps everyone stay ahead of technological changes. At the Consortium, collaboration is at the heart of everything that we do, so please do pass this on to anyone else that you think might benefit from using it.

 

Installation

You can download the plugin from: https://github.com/joshwillcock/moodle-auth_vulnerablepassword

If you’re a member of the Consortium, you should have already received some information directly from us with instructions as to how to upload and use this plug-in.

 

Further details

I’ve integrated the plug-in with Have I Been Pwned a public service created by Troy Hunt . Have I Been Pwned allows you to check if your details appear on any leaked lists. If your username or password appear on a list of over five billion accounts from over 300 leaked sources the platform will be able to tell you. Anyone can use Have I Been Pwned to check any of their email accounts.

 

How does this work?

It’s critical that passwords to be validated are not sent to a third party. When you provide your password, it’s encrypted using a method called SHA-1

As an example the password ‘Password123’ will be encrypted as b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1.

In this example, the plugin initially asks for any passwords which start with b2e98, and then double checks the remaining 35 characters to see if the precise password appears on any lists of compromised data. All this is done in about half a second, and without your password leaving the LMS.

 

Acknowledgements

This plugin uses the Have I Been Pwned API created by Troy Hunt. This idea was based from a similar WordPress project by Wordfence.

This plugin has been created by Josh Willcock for the members of The Charity Learning Consortium.

“I’ve read the article, what’s the next step?”

 

Read about earlier developments Josh has made here:

https://charitylearning.org/2017/11/impossible-moodle-functionality-goes-live/

https://charitylearning.org/2016/02/moodle-development-supports-team-learning/

About the author

Josh is the Head of Technology at the Charity Learning Consortium. Fuelled by coffee and custard creams, he’s now looking for his next impossible project. Connect with him on Twitter @Josh_Willcock.

Read more from the CLC…

Boosting confidence with creativity

Lucy Gower shares her tips for using creativity to solve your organisation’s problems.

Top tips for eLearning success

Doreen Miller from SSAFA, the Armed Forces charity, has launched eLearning at several organisations in her career. One of the founding members of the Charity Learning Consortium, she shares her top tips for eLearning success.

AIDA

The Charity Learning Consortium hits 150+ members!

As we reach a massive milestone, Martin Baker, founder and CEO, explains how a crazy idea turned into the Charity Learning Consortium.

Collaborating to succeed

A digital approach to developing skills can help you save money but it’s collaboration that helps it succeed, says Martin Baker.

Top tips for entering awards

Hesketh Emden, an award winner himself and a judge of the Training Journal Awards, shares some hints for success.

The eLearning enthusiast

Eleanor MacKenzie, L&D Professional of the Year 2018, explains how she has achieved such amazing engagement with eLearning.

CL Consortium Ltd
Vine House, Selsley Road,
Stroud, GL5 5NN