Blocks compromised passwords in standard Moodle™ LMS installations — fully open source under GPL 3.0, with no restrictions on commercial use. Part of the MuTMS suite.
Checks passwords against the Have I Been Pwned database of known breaches when passwords are created, updated, or optionally on every login. Uses the k-Anonymity API — the full password is never sent outside Moodle. Users with a compromised password are blocked until they reset it.
- Checks passwords on creation and update
- Optional check on every login
- k-Anonymity API — no full password ever leaves Moodle
- Blocks access until a compromised password is replaced
- Install the plugin
- Log in as admin — ensure you can reset your administrator password via email if needed
- Enable the Password policy setting and review password requirements
- Enable the Check password on login setting
- Go to Site administration / Plugins / Authentication / Compromised password blocking
- Enable Detect compromised passwords
If anything goes wrong, passwords can be reset from the CLI via /admin/cli/reset_password.php.
This plugin is included in the MuTMS distribution — no manual installation needed if you use the distribution.
No other plugins are required.
See online documentation for more information.
MuTMS is an independent open-source project, not affiliated with Moodle HQ.