This Moodle plugin attempts to check HIBP's list of exposed passwords. Enabling your learners to be informed if their password has ever been involved in a data breach.
Over the last few years Data Breaches have been in the news a lot. It is not surprising with such large platforms being targeted that many of our account details have made their way onto the dark web or end up pasted all over the internet. In an attempt to ensure our users accounts are safe, this plugin grabs the users password and without sending it to a third party checks if the password has been compromised. If the password has been compromised it will refer the user to a warning page on login, which they can then either change their password or continue to their original destination. This will occur every time the user logs in with the compromised password until they change it.
You can download the auth plugin from: https://github.com/joshwillcock/moodle-auth_vulnerablepassword This plugin should be located and named as: [yourmoodledir]/auth/auth_vulnerablepassword Once this has been installed you will need to enable the auth which you can do in Site Admin -> Plugins -> Manage Authentication. [yourmoodleurl]/admin/settings.php?section=manageauths
Any issues or contributions are welcome. You can create a new issue here: https://github.com/joshwillcock/moodle-auth_vulnerablepassword/issues Please create a Pull Request for contributions.
We have integrated this platform with “Have I Been Pwned" a public service created by Troy Hunt ( https://www.troyhunt.com/). Troy created Have I Been Pwned ( https://haveibeenpwned.com/) which allows you to check if your details appear on these leaked lists. If your username or password appear on a list of over 5 billion accounts from over 300 leaked sources the platform will be able to tell you.
It is critical that we do not send your password to be validated to a third party. So when you provide us with your password we encrypt it using a method called SHA-1( https://en.wikipedia.org/wiki/SHA-1). As an example the password “Password123” will be encrypted as “b2e98ad6f6eb8508dd6a14cfa704bad7f05f6fb1”. We then ask the API for all the passwords which start “B2e98”, this way your password is never sent outside of the LMS. We are then given a list of every password which begins with that. We then check to see if the remaining 35 characters of your encrypted password appears in the list we are given. If it does, we let you know immediately.
This plugin uses Have I Been Pwned API. Created by Troy Hunt. This idea was based from a similar Wordpress project by Wordfence(https://www.wordfence.com/blog/2018/03/password-leak-attacks-wordpress/). This plugin has been created by Josh Willcock for the members of The Charity Learning Consortium.