Resource icon

Password Tools 3.9.0

No permission to download
  • Add "Force password reset on compromised password" option
    • This option is likely overkill for most sites, and is not generally recommended
Thanks to @NamePros for this update.
  • Fix changing user entity while a write is pending in some cases
  • Add "Use rejected password fragments in password meter" option (default disabled).
    Take rejected password fragments into consideration when showing the password strength meter to the user.
    Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.
This add-on is now avaliable on
  • Require StandardLib v1.18.0+
  • Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
    Defaults to disabled. Useful for targeting with notices
  • Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
  • Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
  • Rename various options to be better searchable
  • Adjust various option defaults to be more robust.
    • 'Minimum password length' from 8 => 10 characters
    • 'Minimum password strength' from 'very weak' to 'weak'
    • 'Pwned password minimum count (soft)' from 1 to 0
    • 'Pwned password minimum count (hard)' from 2 to 1
    • 'Pwned password cache time' from 7 to 3 days
  • Fix password checks could incorrectly apply when resetting a user's password
  • Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.
  • Like
Reactions: eva2000 and otto
  • Require XenForo 2.2+, drop XF2.1 support
  • Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
  • Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
    • Update new install option defaults to more recommend values:
    • Enforce password complexity for admins
    • Enable "Length check by default, and set the "Minimum length" to 8
    • Enable "Pwned password password validation" by default
  • Switch back to upstream bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.
  • More 32bit php fixes, Thanks to @NamePros
  • Like
Reactions: PaulB
  • Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.
  • Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+
  • Dramatically reduce redistributable size by trimming unneeded files
  • php 8.1 compatibility fix
Top Bottom