Resource icon

Password Tools 3.7.4

No permission to download
  • Fix password checks could incorrectly apply when resetting a user's password
  • Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.
  • Like
Reactions: eva2000 and otto
  • Require XenForo 2.2+, drop XF2.1 support
  • Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
  • Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
    • Update new install option defaults to more recommend values:
    • Enforce password complexity for admins
    • Enable "Length check by default, and set the "Minimum length" to 8
    • Enable "Pwned password password validation" by default
  • Switch back to upstream bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.
  • More 32bit php fixes, Thanks to @NamePros
  • Like
Reactions: PaulB
  • Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.
  • Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+
  • Dramatically reduce redistributable size by trimming unneeded files
  • php 8.1 compatibility fix
  • Reduce queries when triggering forced email 2fa
  • Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used
  • Like
Reactions: thumped
Thanks to @NamePros for sponsoring this update.
  • Update compromised password alert text to be less awkward
  • On updating passwords, remove any compromised password alerts to avoid user confusion
  • Add "Force email two factor authentication on compromised password" option (default disabled)
  • Add "Pwned password minimum count (soft)" option.
    This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates compromised password alerts
  • Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
  • Add "On login; alert the user if they have a known compromised password" option (default enabled)
  • Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)
  • Like
Reactions: CoZmicShReddeR
  • Require php 7.2+
  • Fix php 8 compatibility