LON-CAPA Help

Resetting Forgotten Password

Users have been able to reset a forgotten password since LON-CAPA 2.3, by entering username, domain and e-mail address in a web form reached via the "Forgot Password?" link on the log-in page. If the information submitted via the web form matches that stored in LON-CAPA for that user (and the user's authentication type is "internal"), then an e-mail will be sent to the user's e-mail address, containing a time-limited link, which when followed will display a second web form, in which the user enters e-mail address, username, e-mail address, and a new password.

Starting with LON-CAPA 2.11.3 this procedure can be customized in the following ways:

• Type of Captcha (for robot suppression) to use with the initial web form.

• Expiration time of the time-limited link in the generated e-mail.

• Whether checking of username and/or e-mail address is/are case-sensitive.

• Whether just username, or just e-mail address or both are submitted in the first form.

• Whether information besides the new password is required in the second form.

• Which e-mail address(es) stored for a user in LON-CAPA may be used in the password reset.

• Whether custom text should be used as a preamble for the initial web form.

Encryption of Stored Passwords

• Encryption cost for bcrypt (positive integer). Starting with 2.11.2 bcrypt is used to encrypt the password for an internally authenticated user. The complexity of the encryption is determined by the bcrypt cost value. A higher value means more complexity (and more time to validate a user's password). The cost needs to be a positive integer. If no value is set in a domain, a default of 10 will be used.

• Check bcrypt cost if authenticated. When an internally authenticated user logins and the credentials are validated, the bcrypt cost used for the original encryption can be compared with the current domain default. If the cost for the stored encryption is less than the current domain setting, there are two options - either allow login and update the stored encryption using the higher cost, or disallow login. The default is not to compare the original cost with the current domain setting.

• Existing crypt-based switched to bcrypt if authenticated. When an internally authenticated user logs-in and the credentials are validated, if the stored credentials are currently encrypted with crypt, there is an option to update the stored encryption to use bcrypt, with or without backing-up the existing passwd file to a passwd.bak file. The default is not to update the stored passwd file, so existing users who have crypt-based stored passwords will continue to do so until such time as they change their password.

Rules for LON-CAPA Passwords

Starting with LON-CAPA 2.11.3 requirements can be set for password length, whether special characters or mixed case are required, and how many (if any) previous passwords to save for a user (disallow reuse).

Course Owner Changing Student Passwords

Starting with LON-CAPA 2.11.3 a domain can be configured to allow a course owner to change a student's password, if the following conditions are met:

• same domain is used by owner, course, and student,

• student has no active or future roles besides student role in courses owned by the course owner making the change,

• course container is not a Community.

• owner is course coordinator in the course,

• setting to disable this action has not been set for the specific course.

The default is to not allow Course owners to change a student's password.