I'm looking for a way to add custom password policies for a Moodle site.
I need be able to configure the following:
to force users to change their passwords after 60 days
require the user to not reuse the same password
timeout session afther 20 minutes of activity (I guess that's just the settings for the session cookie), but how do I customize it?
Moodle does give you some limited password policy and allows you to select to a limited extent the complexity of the password required. But it does not offer a fixed password lifetime and reset process.
On the admin pages you will find a section server which includes a setting for session timeout. Although 20 minutes is not specifically on the list, you may find a setting for 15 mins and 30 mins, and by modifying the underlying code, you would be able to add an item the the select menu for 'sessiontimeout' of 20mins, or set $CFG->sessiontimeout = 1200 in the /config.php (for non-standard periods this alone would not work; you sohuld also add the relevant record to
$temp->add(new admin_setting_configselect('sessiontimeout' ...)
line in theadmin/settings/server.php
file in your moodle directory).To enforce password changes, perhaps once a term you could make sure that everyone resets their passwords at the same time. Without rewriting parts of moodle, you could do this by setting 'auth_forcepasswordchange' in mdl_user_preferences for each user.
You could do this by editing each user, and checking force password change, but this could be quickly done across the site using some SQL to update or add a preference record for 'auth_forcepasswordchange' for each existing user. Next time a user logs in moodle will enforce a password change, and the flag would be cleared.
I am not sure if you are working in a school or college environment. If the password reset day was planned and announced, then it might make it easier for the class teachers to prompt the students to expect this, plan for the change, and to assist their students when the password change occurs. I know that that password resets can substantially impact on lessons, any advanced warning would be appreciated.
If you have people working with large classes of younger students, have you discussed how the age and capabilities of the students affect this policy, and discussed how a password rules affect learning and teaching particularly with younger students or with students with special educational needs.
Perhaps you could consider how to implement a differentiated password policy which might mean that administrators and staff, are required to follow a stronger password policy, with more frequent changes than students.