Skip to content

This Moodle plugin attempts to check HIBP's list of exposed passwords. Enabling your learners to be informed if their password has ever been involved in a data breach.

License

Notifications You must be signed in to change notification settings

joshwillcock/moodle-auth_vulnerablepassword

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

moodle-auth_vulnerablepassword Build Status

This Moodle plugin attempts to check HIBP's list of exposed passwords. Enabling your learners to be informed if their password has ever been involved in a data breach.

Quick Description

Over the last few years Data Breaches have been in the news a lot. It is not surprising with such large platforms being targeted that many of our account details have made their way onto the dark web or end up pasted all over the internet. In an attempt to ensure our users accounts are safe, this plugin grabs the users password and without sending it to a third party checks if the password has been compromised. If the password has been compromised it will refer the user to a warning page on login, which they can then either change their password or continue to their original destination. This will occur every time the user logs in with the compromised password until they change it.

Installation

You can download the auth plugin from: https://github.com/joshwillcock/moodle-auth_vulnerablepassword This plugin should be located and named as: [yourmoodledir]/auth/auth_vulnerablepassword Once this has been installed you will need to enable the auth which you can do in Site Admin -> Plugins -> Manage Authentication. [yourmoodleurl]/admin/settings.php?section=manageauths

Issues & Contributions

Any issues or contributions are welcome. You can create a new issue here: https://github.com/joshwillcock/moodle-auth_vulnerablepassword/issues Please create a Pull Request for contributions.

How do we know this?

We have integrated this platform with “Have I Been Pwned" a public service created by Troy Hunt ( https://www.troyhunt.com/). Troy created Have I Been Pwned ( https://haveibeenpwned.com/) which allows you to check if your details appear on these leaked lists. If your username or password appear on a list of over 5 billion accounts from over 300 leaked sources the platform will be able to tell you.

How does this work?

It is critical that we do not send your password to be validated to a third party. So when you provide us with your password we encrypt it using a method called SHA-1( https://en.wikipedia.org/wiki/SHA-1). As an example the password “Password123” will be encrypted as “b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1”. We then ask the API for all the passwords which start “B2e98”, this way your password is never sent outside of the LMS. We are then given a list of every password which begins with that. We then check to see if the remaining 35 characters of your encrypted password appears in the list we are given. If it does, we let you know immediately.

Acknowlegements

This plugin uses Have I Been Pwned API. Created by Troy Hunt. This idea was based from a similar Wordpress project by Wordfence(https://www.wordfence.com/blog/2018/03/password-leak-attacks-wordpress/). This plugin has been created by Josh Willcock for the members of The Charity Learning Consortium.

About

This Moodle plugin attempts to check HIBP's list of exposed passwords. Enabling your learners to be informed if their password has ever been involved in a data breach.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages