Change Password Point Blank

[Kody Baril]

I'm having an issue with our customers' employees often forgetting their passwords. They do not have real emails (just firstname...@noemail.com) so new passwords cannot be sent to their emails. Currently only people with admin rights can change the password, and we can't give admin rights to our customers (they would see other customer info as well). We want the customers to be able to reset the passwords (and only their own employee's passwords), because it takes time if a customer needs to contact us.

I would point blank refuse to offer any password reset facility that didn't include some kind of verification - either email address, or security questions/answers that they setup when they are authenticated (you'd probably have to write this yourself, or ask a moodle partner to do it - and use the moodle change password code functions to actually change their password in the database).

our users are low-level employees of factories and therefore have no work email - or for that matter personal ones. They are scattered all over the world and often are technologically challenged, just last month I watched them struggle to use a regular computer mouse.

I wan't the process of resetting the password to be simple as possible for them, and most likely it needs to go through their manager somehow. I don't know if it's possible to give their manager rights to change his employees' passwords - but not other users?

The only way I can think of that is secure enough is by moving all the authentication credentials to an external database, and use the external database authentication plugin. The authentication database could be hosted in the same DB server as Moodle's one, but should be a different database.

This way, you could create a read-only user for Moodle to query the username/password combinations (to manage logins) and read/write access user for the (additional to Moodle) application that would manage password resets. You could add additional columns in the external users table to store the "managing customer organization", and then a second table where you would map "password manager users" to "managing customer organization". When those password manager users log into the additional application, the application would make sure they would only see and manage the user accounts belongin to their managing customer organization.

Thank you for your answer, I'll look into it. Currently I don't think that the external database is really a realistic option for us, as managing the users in a different place complicates the management of our Moodle site. Also the external database most likely costs more (unless there are any safe free options?) and requires more technical expertise (which would require resources from our IT department). But I'll look into this option a bit more, as the options for solving this issue seem to be a bit scarce.

Hi Everyone,
Hope you can help with this one.
When user logs in they are directed to there 'LIST PAGE'. As part of the standard PHPRunner routine they are presented with a link to 'change password'.
Here's the problem........
When the users clicks the link, they are shown the 'Change Password' screen (changepwd.php)

They then have to enter there 'Old Password' ...... which is ok.
However, at this point they can simply click SUBMIT and blank entries are accepted as there new password.
i.e. The user can simply login with there 'Username'.
I want to be able to force the user to have to enter a 'New Password' and then to 'Confirm Password'.
Your help would be much appreciated.
Lisa

I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.

A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).

More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using its most robust form of multi-factor authentication (single sign-on solutions, or SSOs). To wit:

The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended by the National Institute of Standards and Technology (NIST), which warns:

However, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

I have a newer MBP (June 2011). I set it up with a BLANK password. I would like to change the BLANK to a strong password. My concern is that in doing so, I may make some mistake and lock myself out. I know I can do a recovery and the reset the password. Unfortunately, this will have the effect of blocking me from using Keychain assistant. Or so I believe.

I have been given two different ways to make the change. Unfortunately, I don't have the skills or experience to know which is best. One expert suggested going to Preferences, clcking on Change password and TAB past the password to enter the new password. Seems OK, and the expert commented it is as if you have simply skipped past the original password.

You will have an opportunity to reset your keychain password on your first login to the new password. You can also reset your keychain password at any time by opening the keychain access, selecting edit and changing the password there.

Thanks for the quick response. I didn't know there was a reset password option in system preferences. I wanted to change my password (a BLANK) using systems preferences. The use of a recovery process with a reset is when I risk being locked out from the keychain.

It really is simple and I have done it several times. Just go into System Preferences/Users & Groups and then unlock the padlock. hit change password. leave old password space empty as it was, then enter new password, confirm new password, relock padlock icon and you are set to go with your new password. You will only get locked out, as you say, if you forgat your password.

Cheers Neil, When I go to preferences, users, and click on the padlock, I will be asked to use my admin password, correct? For me, this is a bit like skydiving. So simple, Just jump and then what follows is simple.

Yep, simple. It wants your password which is blank, so just hit ok. After you change it and it asks you for it again at some stage, it will just recognise the new one. Like skydiving, but with an emergengy chute, in case you ever do have issues. It is simple, trust me. I have done it several times.

Cheers Neil, Your answer was quite helpful. In fact, your added note that many used Macs would have their passwords made BLANK makes perfect sense. It even surprises me a bit that there weren't more forum users who had this experience and could offer help. I have asked this question before and many of the responses were from well-intentioned people, but not really certain of their answers. None, until you, had even mentioned unlocking the padlock. That was a "elephant in the room" moment for me.

A lot of security guidance recommends that you don't use the same password in multiple places, to make it complex, and to avoid simple passwords like Password123. You can provide your users with guidance on how to choose passwords, but weak or insecure passwords are often still used. Microsoft Entra Password Protection detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization.

With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.

You should use other features like Microsoft Entra multifactor authentication, not just rely on strong passwords enforced by Microsoft Entra Password Protection. For more information on using multiple layers of security for your sign-in events, see Your Pa$$word doesn't matter.

This conceptual article explains to an administrator how Microsoft Entra Password Protection works. If you're an end user already registered for self-service password reset and need to get back into your account, go to

The Microsoft Entra ID Protection team constantly analyzes Microsoft Entra security telemetry data looking for commonly used weak or compromised passwords. Specifically, the analysis looks for base terms that often are used as the basis for weak passwords. When weak terms are found, they're added to the global banned password list. The contents of the global banned password list aren't based on any external data source, but on the results of Microsoft Entra security telemetry and analysis.

When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.

The global banned password list is automatically applied to all users in a Microsoft Entra tenant. There's nothing to enable or configure, and can't be disabled. This global banned password list is applied to users when they change or reset their own password through Microsoft Entra ID.

c80f0f1006