08 March 2010, 21:03

Is there a way to change the password requirement for Mahara users? I know strong passwords are good but there is always a security/usability tradeoff and it is nice to have the choice. It is annoying that Moodle and Mahara have different password policies too.

08 March 2010, 21:16

Alistair,

The Mahara password policy is defined for "internal" in /auth/internal/lib.php:

public function is_password_valid($password) {
        if (!preg_match('/^[a-zA-Z0-9 ~!@#\$%\^&\*\(\)_\-=\+\,\.<>\/\?;:"\[\]\{\}\\\|`\']{6,}$/', $password)) {
            return false;
        }
        // The password must have at least one digit and two letters in it
        if (!preg_match('/[0-9]/', $password)) {
            return false;
        }

        $password = preg_replace('/[a-zA-Z]/', "\0", $password);
        if (substr_count($password, "\0") < 2) {
            return false;
        }
        return true;

You could edit these conditions to suit your requirements.

In Moodle, you can set the password policy in Security > Site Policies.

08 March 2010, 22:16

That is what I needed to know.

Thanks Steve, you have been very helpful.