+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
CLEO Thread, Moodle forced password change in Regional Broadband Consortiums (RBC); It looks like CLEO have made all their moodle users do a forced password change I am asking Westfield to ...
  1. #1

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,809
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168

    Moodle forced password change

    It looks like CLEO have made all their moodle users do a forced password change

    I am asking Westfield to check this out for non-admin users but I was made to change my password on 2 sites that i've checked and 1 ICT co-ord has told me that he had to change his.

    Will let you know whether its true or not.

    (I had an emails last week saying password security had been upgraded but I don't remember any mention of forced changes )


    regards

    Simon

  2. #2
    Butters's Avatar
    Join Date
    Jun 2008
    Location
    London
    Posts
    534
    Thank Post
    15
    Thanked 51 Times in 45 Posts
    Rep Power
    60
    The last update of Moodle added in password complexity rules which can be disabled in the administration --> site policies area.

    Looks as if they've left this on which will default flag all users as being forced to change their password.

    Quick SQL statement on the DB can fix this though so I'd get on to them before everyone wonders why they are having to change passwords

  3. #3

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,809
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    Looks as if they've left this on which will default flag all users as being forced to change their password.
    That doesn't seem to be it - Password Policy is unticked (and default is No)

    regards

    Simon

  4. #4

    Join Date
    Dec 2007
    Location
    Lancaster
    Posts
    11
    Thank Post
    3
    Thanked 7 Times in 3 Posts
    Rep Power
    15
    Hi,

    Quote Originally Posted by SimpleSi View Post
    It looks like CLEO have made all their moodle users do a forced password change
    Only administrators are being forced to do this, this is a precautionary measure introduced by Moodle core in Moodle 1.9.7. See Moodle release notes.

    Please note that we did not take the decision to leave this password change step in the upgrade lightly and decided to keep it in the Moodle upgrade for CLEO to ensure that administrators passwords are forced to be salted. We implemented password salting in the CLEO moodle instance some time ago, but recently there have been a number of public discussions of how to take an unsalted password hash and use a lookup table to reverse this. It seemed prudent that we take our best efforts to ensure old adminsitrator accounts in CLEO had their passwords salted to avoid this being exploited.

    Quote Originally Posted by Butters
    The last update of Moodle added in password complexity rules which can be disabled in the administration --> site policies area.
    We disabled this part of the CLEO upgrade as the cost of applying this across all 230,000 users in CLEO did not seem to outweigh the benefits, though we would still strongly recommend that Moodle administrators choose to turn this option on we felt it better to leave this up schools.

    cheers,

    Dan Poltawski
    (CLEO Moodle Tech Lead)

    Ps. you might be interested in the official CLEO Moodle User Group http://vle.cleo.net.uk - you can get acccess by contacting the CLEO Office.

  5. Thanks to poltawski from:

    SimpleSi (24th February 2010)

  6. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,843
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    Another reason not to use LEA services and to do it yourself....

  7. #6

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,513
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302
    Quote Originally Posted by FN-GM View Post
    Another reason not to use LEA services and to do it yourself....
    The CLEO Moodle is run exceptionally well, I have seen far worse LEA VLE systems, and agree with what they have done. Fine I am no longer in a CLEO school so don't see the comms from them but a quick email to the schools warning wouldn't go a miss but the CLEO Moodle is not bad at all.

  8. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,843
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    Personally i think it would be better to have control of your own platform.

  9. #8
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by FN-GM View Post
    Another reason not to use LEA services and to do it yourself....
    So they updated and removed a security risk (using non salted passwords on admin accounts, which can be cracked quite easy...) and are forcing said users to update their passwords (could be the same one, it would just salt it) and that is a issue how?

    It's no different than updating a server to stop malicious hack X or Y.

  10. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,843
    Thank Post
    876
    Thanked 1,679 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by p858snake View Post
    So they updated and removed a security risk (using non salted passwords on admin accounts, which can be cracked quite easy...) and are forcing said users to update their passwords (could be the same one, it would just salt it) and that is a issue how?

    It's no different than updating a server to stop malicious hack X or Y.
    I am not saying what they did is a bad thing. But its better to have control of your own setup and for you to decide what happens.

    I think its good that i has been kicked in

  11. #10

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,809
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    As others have said - a little note would have been handy - I was sent emails about the upgrade - but no hint about the need for password changes

    The main effect is that we are encouraged to set all teachers/tas as admins (so everyone has the same screen layout during training sessions ) so it effects all of them as well

    So they'll either end up changing their passwords to something very simple (or use the same one as their internet banking one )

    regards

    Simon

  12. #11

    Join Date
    Dec 2007
    Location
    Preston
    Posts
    364
    Thank Post
    14
    Thanked 84 Times in 77 Posts
    Rep Power
    30
    we are encouraged to set all teachers/tas as admins (quote)
    Who encourages that?
    I know you deal in primaries so there are fewer teachers in the schools but nonetheless....

    Also - on the CLEO moodle forums Dan Poltawski mentioned it did actually say (quote again)

    One key feature is that anyone who holds an administrator account on your school Moodle will be promted to change their password the first time they log in after the upgrade. so we were warned.

    I understand your feelings about it being better to run your own install FN_GM - it is frustrating at times when you want to do additional stuff and can't -but on the other hand I very much appreciate having someone else carry the load of doing the upgrades/security patches etc. I think CLEO are doing a very good job. (no I don't work for them; I teach children(some of whom are adults!)
    Last edited by secretlife; 25th February 2010 at 08:36 PM.

  13. #12

    Join Date
    Dec 2007
    Location
    Lancaster
    Posts
    11
    Thank Post
    3
    Thanked 7 Times in 3 Posts
    Rep Power
    15
    Quote Originally Posted by SimpleSi View Post
    As others have said - a little note would have been handy - I was sent emails about the upgrade - but no hint about the need for password changes
    Good criticism, I agree and it was entirely my fault for not ensuring that this happened with the upgrade notifications.

    Quote Originally Posted by secretlife View Post
    Also - on the CLEO moodle forums Dan Poltawski mentioned it did actually say (quote again)

    One key feature is that anyone who holds an administrator account on your school Moodle will be promted to change their password the first time they log in after the upgrade. so we were warned.
    Actually secretlife, I think that was posted after the upgrade had happened (or while in process) and not before.


    Quote Originally Posted by SimpleSi
    So they'll either end up changing their passwords to something very simple (or use the same one as their internet banking one )
    You could switch on the password policy to prevent that. Obviously i'd like to see that go hand in hand with user education about using strong passwords. An unenviable task, but i'd rather see that than student details being compromised or a schools' reputation being discredited due to adult related spam....


    Quote Originally Posted by FN-GM View Post
    I am not saying what they did is a bad thing. But its better to have control of your own setup and for you to decide what happens.
    Better for you, but certainly not all schools. If I were a school tech I expect i'd like to run my own moodle system and have control much like you - as i've got the skills to do it. But that might not be the best thing for my school long term (what happens when I leave, can I train and support it, do I have the funds to find the infrastructure to ensure it works all the time?).


    In CLEO we're not perfect (who is?), but I personally believe passionately that we offer a good service which makes efficient use of taxpayer funding. Instead of spending a load of money on licensing costs, money has been used to fund:
    • Massive training programmes for teachers and staff (and whats the point of having it if the teachers dont use it)
    • Massive investment into hardware and infrastructure to ensure its highly available
    • Support structures to ensure we find and fix faults, you can call someone if it breaks


    We've also been able to make significant contributions to the Moodle project which benefit all schools around the world and made customisations for schools to make it fit more for the environment. Hopefully this will continue to a greater and greater extent as the years go by. We are able to do this as we have dedicated expertise due to the scale of the CLEO offering. This also helps us be able to influence the direction of Moodle.

    (sorry, i'll stop selling it now - I truly do believe in it which is why I enjoy working on the project).

  14. #13
    joe90bass's Avatar
    Join Date
    Oct 2007
    Location
    S Wales
    Posts
    1,349
    Thank Post
    322
    Thanked 107 Times in 96 Posts
    Rep Power
    50
    Quote Originally Posted by poltawski View Post
    (sorry, i'll stop selling it now - I truly do believe in it which is why I enjoy working on the project).
    No need to apologise, some of us would be very grateful to have this passion and support available to us............

  15. #14

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,513
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302
    Quote Originally Posted by poltawski View Post
    (sorry, i'll stop selling it now - I truly do believe in it which is why I enjoy working on the project).
    Feel free to come sell me CLEO but you will have to step over the border into Yorkshire I'm afraid, I really do miss CLEO

  16. #15

    Join Date
    Dec 2007
    Location
    Preston
    Posts
    364
    Thank Post
    14
    Thanked 84 Times in 77 Posts
    Rep Power
    30
    Quote Originally Posted by poltawski View Post
    (sorry, i'll stop selling it now - I truly do believe in it which is why I enjoy working on the project).
    Yep; that's Moodle for you...

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 4
    Last Post: 6th May 2014, 07:25 PM
  2. Change Database Password
    By DSapseid in forum EduGeek Joomla 1.0 Package
    Replies: 2
    Last Post: 17th November 2009, 09:29 AM
  3. FMS: change password greyed out?
    By Oops_my_bad in forum MIS Systems
    Replies: 6
    Last Post: 1st March 2009, 09:16 PM
  4. Change Password Permissions
    By Jamie_a in forum Windows
    Replies: 6
    Last Post: 17th December 2007, 03:20 PM
  5. Unable to change password
    By danIT in forum Mac
    Replies: 5
    Last Post: 11th January 2007, 04:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •