Password Tools 3.13.0

• Require StandardLib v1.22.0+
• Reduce pwnedpassword check HTTP request time-out from 2 seconds to 1 second as this blocks the login request, the request should only take a few 10s of milliseconds, so fail faster instead of waiting
• Add password test page, this tests all the ways a password could fail including methods which aren't enabled

• Fix internal server error when registering an account without an email address (requires 3rd party addon to trigger)

• Fix server error when a password is very long
• Add "Force two-step verification" permission
  • If enabled for a user, prevents email 2fa from being disabled
• For new installs add a "User has compromised password" user-group, and update the "User-group for compromised passwords" option to use it
• Align defaults with NIST Password Guidelines for 2024
  • Update "New password validation rules" defaults. "Prevent passwords which contain the user's email or username, and the site's domain/name" defaults to true
  • Update "Minimum password length" default to 15

• php 8.4+ compatibility fixes
• Rename option "Password check types" to "New password validation rules"
• Add "On login; consider known-bad passwords as compromised" option (default false)
• Add new password validation rule "Prevent passwords which contain the user's email or username, and the site's domain/name." (default false)

• Fix javascript error for XF2.2

• Fix javascript error when using XF2.3

• Require standardLib v1.20.0+
• Restore XF2.1 support, note front-end Zxcvbn requires XF2.2+
• Support XF2.3+
• php 8.4+ compatibility

• Add "Force password reset on compromised password" option
  • This option is likely overkill for most sites, and is not generally recommended

Thanks to @NamePros for this update.

• Fix changing user entity while a write is pending in some cases
• Add "Use rejected password fragments in password meter" option (default disabled).
  Take rejected password fragments into consideration when showing the password strength meter to the user.
  Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.

This add-on is now avaliable on atelieraphelion.com

• Require StandardLib v1.18.0+
• Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
  Defaults to disabled. Useful for targeting with notices