Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69958

Support /.well-known/password-change requests from password managers

    XMLWordPrintable

Details

    • MOODLE_311_STABLE, MOODLE_400_STABLE, MOODLE_402_STABLE
    • MOODLE_403_STABLE
    • MDL-69958-well-known-password
    • Hide
      Prerequisites
      • A Chrome profile where the passwords for your moodle instance have not been saved yet.
      • If you want to use a Chrome profile that already has saved your instance passwords, you can delete them by entering "chrome://password-manager/passwords" on your browser.
      Test
      1. Create or find any test user eg 'admin'
      2. Set their password to a known compromised password (e.g. "admin" or "test"

        php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy  

      3. Setup error page handling for Apache / nginx.
        • TL;DR for Apache server - Edit "httpd.conf" and add the line

          ErrorDocument 404 /[YOUR_MOODLE_ROOT]/error/index.php
          

          then restart Apache. e.g. If your Moodle instance can be accessed via http://localhost/integration_master, the "ErrorDocument 404" setting must point to "/integration_master/error/index.php"

      4. Visit a non-existent URL (e.g. [YOUR_MOODLE_URL]/not-a-page) and confirm you see the moodle themed error page
      5. Login to your Moodle instance using the admin account, and save this password using the Chrome password manager
      6. Confirm that you can see the password here in the Chrome password manager:

        chrome://password-manager/passwords

        If you are not prompted to save your password you can click 'Add' under 'Saved passwords' and manually enter the site domain and username and passwords.

      7. Confirm you see in Chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one.
        chrome://password-manager/checkup?start=true
      8. Find the entry for your Moodle domain (e.g. localhost), click 'Change password' next to it
      9. Confirm you are taken directly to the change password page

        /login/change_password.php

        • Note: You might get prompted to log in first before you get redirected to the Change password page.
      Show
      Prerequisites A Chrome profile where the passwords for your moodle instance have not been saved yet. If you want to use a Chrome profile that already has saved your instance passwords, you can delete them by entering " chrome://password-manager/passwords " on your browser. Test Create or find any test user eg 'admin' Set their password to a known compromised password (e.g. " admin " or " test " php admin /cli/reset_password .php -u=admin -p=admin --ignore-password-policy Setup error page handling for Apache / nginx . TL;DR for Apache server - Edit " httpd.conf " and add the line ErrorDocument 404 /[YOUR_MOODLE_ROOT]/error/index.php then restart Apache. e.g. If your Moodle instance can be accessed via http://localhost/integration_master , the " ErrorDocument 404 " setting must point to " /integration_master/error/index.php " Visit a non-existent URL (e.g. [YOUR_MOODLE_URL] /not-a-page) and confirm you see the moodle themed error page Login to your Moodle instance using the admin account, and save this password using the Chrome password manager Confirm that you can see the password here in the Chrome password manager: chrome: //password-manager/passwords If you are not prompted to save your password you can click 'Add' under 'Saved passwords' and manually enter the site domain and username and passwords. Confirm you see in Chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one. chrome://password-manager/checkup?start=true Find the entry for your Moodle domain (e.g. localhost), click 'Change password' next to it Confirm you are taken directly to the change password page /login/change_password.php Note: You might get prompted to log in first before you get redirected to the Change password page.

    Description

      Most modern password managers will automatically scan for passwords which have been compromised and alert you to change them. There is a spec which allows password managers to blindly link to a well known url for resetting a password on any site:

      /.well-known/change-password

      Specifically for moodle this should redirect to: /login/change_password.php

      The spec is here:

      https://w3c.github.io/webappsec-change-password-url/

      This is supported in lots of places:

      • chrome
      • safari / ios
      • 1Password
      • LastPass
      • Bitwarden

      It is implemented on tons of sites eg:

       

       

      Attachments

        1. MDL-69958.png
          1.62 MB
          Ron Carl Alfon Yu

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Andrew Lyons Andrew Lyons
              Jun Pataleta Jun Pataleta
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 7 minutes
                  2h 7m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.