• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Password Tools 2.3.5

No permission to download
Compatible XF 1.x versions
1.4, 1.5
Additional requirements
php 5.4+
MIT License
Visible branding
Password Tools


This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and numbers, but on how easy they are to crack in reality.

To increase the safety of your users account, you can force them to use passwords of a minimum length, minimum strength and even force them to exclude certain words from their passwords (like your site name, the topic your site refers to, etc.).

But the other side of the equation, is no matter how secure the password is, if it has been compromised not password strength estimator will help make it better. As such NIST has the following guidance: check passwords against those obtained from previous data breaches. Pwned Password integration does that.

zxcvbn Readme said:
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes and weighs 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Consider using zxcvbn as an algorithmic alternative to password policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
Pwned password said:
Password reuse and credential stuffing

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.

NIST's guidance: check passwords against those obtained from previous data breaches

The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches . The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed.
Thanks @WoodiE for funding the HIBP (pwned password) integration.


  • Show users how strong their passwords really are when it comes to crack-attempts
  • Deliver instant feedback if password and password-confirm match and/or certain requirements are not met
  • Force users to choose passwords with a minimum strength
  • Force users to choose passwords with a minimum length
  • Force users to chooce a password not containing words from a blacklist you define
  • No cheating: This modification also controls users passwords on server side with Ben Jeavos php-implementation of zxcvbn.
  • Easy styling through XenForo Style Properties


I recommend using Add-on install & upgrade to install this add-on.
Related resources
*Out of date, minor differences
**Out of date, major differences
First release
Last update
5.00 star(s) 7 ratings

More resources from Xon

Latest updates

  1. 2.3.5 - Bugfix update

    Fix red 'X' next to password may not be removed on a valid password. Prevent displaying the...
  2. 2.3.4 - Feature Update. Pwned password integration

    Thanks @WoodiE for funding the HIBP (pwned password) integration. Pwned password integration...
  3. 2.2.1 - Bugfix update

    Fixed that an older XML was used pointing at old code event listener files.

Latest reviews

@Xon was a pleasure to work with when adding the Pwned Password (by HaveIBeenPwned) feature that I commissioned him to add. The integration works better than requested with the ability to configure minimum count and caching. This is an addon that all forum owners should consider using to not only better secure their forums but protect their users.
Best addon! This password would be generator or strong a type more than weak type a bit four / five.
Awesome addon, great addition for any forum and it's integrated very seamlessly out of the box. I can't think of any reason not to use this addon :b
Confirmed working on the latest xenforo version 1.5.3! :)

This is pretty much needed for any type of forum.
Great add-on to increase the discipline of password choice. Stable performance and easy to adjust with plenty of style properties out of the box and full customization with CSS.
This is a really nice addon. It works without any problems, is open-source (MIT license) and looks nice.
Great to improve the password strength of the users. Suggestions and improvements are implemented in each update. working perfect in 1.5 Thanks @katsulynx ★★★★★