Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67977

Logical inconsistency between check_password_policy vs generate_password

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 3.8
    • None
    • Authentication
    • MOODLE_38_STABLE

    Description

      If you have a password policy, and you have extra plugins that implement the check_password_policy callback to add more constraints on the password, then it can be easy to generate a password which doesn't actually meet the password policy.

      Proposing:

      1) Add a new callback 'generate_password' to round out check_password_policy adn print_password_policy which can mutate / append to the newly generate password. I think if there is a clash between the $maxlen=10 function param and $CFG->minpasswordlength then the latter should take precedence as we'll almost always be making it longer and more complicated.

      2) I can imagine some curve balls that make this non deterministic, and so core should actually test the new password against the policy after it's been generated. If it doesn't pass then retry a couple times and the either debug message or maybe an moodle_exception.

       

       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              brendanheywood Brendan Heywood
              Jake Dallimore, Mathew May, Mihail Geshoski
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: