Password Expiry in Moodle
If you’re managing your users within Moodle — as opposed to using external services like Active Directory or a management database — then you have the option of enforcing an expiry period for user passwords. This blog post looks at the use of this policy and how it works behind the scenes.
Password expiry settings
The policy needs to be enabled by going to Site administration → Plugins → Authentication → Manual accounts and setting Enable password expiry to “Yes”. Then you can configure the maximum age for passwords on your site with the Password duration setting. This has a default of 30 days, the minimum, and a maximum of one year.
One thing to be aware of is that this setting only takes effect when a user has changed their own password. It does not affect:
1. New users whose password is set by a site admin.
2. Existing users who do not change their password after the policy is enabled.
In both of these cases the user passwords will never expire. In order to bring these users into line with the policy we must ensure that the user changes their password.
Forcing password change
When creating new users either use the Generate password and notify user option to notify the user with a generated password which then must be changed. You’ll need to ensure that your Moodle site is configured to send email. Alternatively Force password change can be used to ensure the user changes their password the first time they log into your site.
For existing users you can use Bulk user actions changing With selected users… to “Force password change”.
Behind the scenes
We’ve covered how to enable the policy and ensure it takes effect but how do these settings affect objects in the database?
The timestamp of the user password change is stored in mdl_user_preferences‘s value column with name = “auth_manual_passwordupdatetime” and the corresponding userid. In line with the behaviour described in the previous section this row is only added when the user changes their password. If the policy is enabled you can see the timestamps of when user passwords were last set with (MySQL or MariaDB):
SELECT mdl_user.id AS userid, username, FROM_UNIXTIME(value) AS password_change FROM mdl_user LEFT OUTER JOIN mdl_user_preferences ON mdl_user.id = mdl_user_preferences.userid AND name = 'auth_manual_passwordupdatetime' WHERE auth = 'manual' AND deleted = 0;
In this post we’ve introduced Moodle’s password expiry feature, and covered how to enable this and how to ensure it’s enforcing as expected. We’ve also looked under the hood at how it affects items in the database.
We’ve done a lot of technical work with Moodle such as troubleshooting issues, or testing and managing configuration changes. If you’d like to apply our technical expertise to your requirements, please get in touch.