Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69958

Support /.well-known/password-change requests from password managers

XMLWordPrintable

    • MOODLE_311_STABLE, MOODLE_400_STABLE, MOODLE_402_STABLE
    • MOODLE_403_STABLE
    • MDL-69958-well-known-password
    • Hide
      Prerequisites
      • A Chrome profile where the passwords for your moodle instance have not been saved yet.
      • If you want to use a Chrome profile that already has saved your instance passwords, you can delete them by entering "chrome://password-manager/passwords" on your browser.
      Test
      1. Create or find any test user eg 'admin'
      2. Set their password to a known compromised password (e.g. "admin" or "test"

        php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy  

      3. Setup error page handling for Apache / nginx.
        • TL;DR for Apache server - Edit "httpd.conf" and add the line

          ErrorDocument 404 /[YOUR_MOODLE_ROOT]/error/index.php
          

          then restart Apache. e.g. If your Moodle instance can be accessed via http://localhost/integration_master, the "ErrorDocument 404" setting must point to "/integration_master/error/index.php"

      4. Visit a non-existent URL (e.g. [YOUR_MOODLE_URL]/not-a-page) and confirm you see the moodle themed error page
      5. Login to your Moodle instance using the admin account, and save this password using the Chrome password manager
      6. Confirm that you can see the password here in the Chrome password manager:

        chrome://password-manager/passwords

        If you are not prompted to save your password you can click 'Add' under 'Saved passwords' and manually enter the site domain and username and passwords.

      7. Confirm you see in Chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one.
        chrome://password-manager/checkup?start=true
      8. Find the entry for your Moodle domain (e.g. localhost), click 'Change password' next to it
      9. Confirm you are taken directly to the change password page

        /login/change_password.php

        • Note: You might get prompted to log in first before you get redirected to the Change password page.
      Show
      Prerequisites A Chrome profile where the passwords for your moodle instance have not been saved yet. If you want to use a Chrome profile that already has saved your instance passwords, you can delete them by entering " chrome://password-manager/passwords " on your browser. Test Create or find any test user eg 'admin' Set their password to a known compromised password (e.g. " admin " or " test " php admin /cli/reset_password .php -u=admin -p=admin --ignore-password-policy Setup error page handling for Apache / nginx . TL;DR for Apache server - Edit " httpd.conf " and add the line ErrorDocument 404 /[YOUR_MOODLE_ROOT]/error/index.php then restart Apache. e.g. If your Moodle instance can be accessed via http://localhost/integration_master , the " ErrorDocument 404 " setting must point to " /integration_master/error/index.php " Visit a non-existent URL (e.g. [YOUR_MOODLE_URL] /not-a-page) and confirm you see the moodle themed error page Login to your Moodle instance using the admin account, and save this password using the Chrome password manager Confirm that you can see the password here in the Chrome password manager: chrome: //password-manager/passwords If you are not prompted to save your password you can click 'Add' under 'Saved passwords' and manually enter the site domain and username and passwords. Confirm you see in Chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one. chrome://password-manager/checkup?start=true Find the entry for your Moodle domain (e.g. localhost), click 'Change password' next to it Confirm you are taken directly to the change password page /login/change_password.php Note: You might get prompted to log in first before you get redirected to the Change password page.

      Most modern password managers will automatically scan for passwords which have been compromised and alert you to change them. There is a spec which allows password managers to blindly link to a well known url for resetting a password on any site:

      /.well-known/change-password

      Specifically for moodle this should redirect to: /login/change_password.php

      The spec is here:

      https://w3c.github.io/webappsec-change-password-url/

      This is supported in lots of places:

      • chrome
      • safari / ios
      • 1Password
      • LastPass
      • Bitwarden

      It is implemented on tons of sites eg:

       

       

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Andrew Lyons Andrew Lyons
            Jun Pataleta Jun Pataleta
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 7 minutes
                2h 7m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.