Resource icon

Password Tools 3.11.1

No permission to download

Author Xon
Creation date Oct 1, 2018
Tags

hibp limitations password zxcvbn

Overview FAQ Updates (28) Reviews (3) History Discussion

3.7.1 - Feature update

May 31, 2022

Require XenForo 2.2+, drop XF2.1 support

Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat

Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn

Update new install option defaults to more recommend values:

Enforce password complexity for admins

Enable "Length check by default, and set the "Minimum length" to 8

Enable "Pwned password password validation" by default

Reactions: otto, vwts, thumped and 1 other person

3.6.5 - Bugfix update

Dec 21, 2021

Switch back to upstream bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.

More 32bit php fixes, Thanks to @NamePros

Reactions: PaulB

3.6.4 - Bugfix update

Dec 10, 2021

Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.

Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+

3.6.3 - php 8.1 compatibility fix

Dec 4, 2021

Dramatically reduce redistributable size by trimming unneeded files

php 8.1 compatibility fix

3.6.2 - Maintenance update

Nov 23, 2021

Reduce queries when triggering forced email 2fa

Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used

Reactions: thumped

3.6.1 - Feature update

Oct 27, 2021

Thanks to @NamePros for sponsoring this update.

Update compromised password alert text to be less awkward

On updating passwords, remove any compromised password alerts to avoid user confusion

Add "Force email two factor authentication on compromised password" option (default disabled)

Add "Pwned password minimum count (soft)" option.
This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates compromised password alerts

Reactions: Joe Link, Faust, NamePros and 2 others

3.5.0 - Feature update

Jul 24, 2021

Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.

Add "On login; alert the user if they have a known compromised password" option (default enabled)

Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)

Reactions: CoZmicShReddeR

3.4.0 - php 8 compatibility update

Dec 24, 2020

Require php 7.2+

Fix php 8 compatibility

Reactions: yin9 and CoZmicShReddeR

3.3.0 - XF2.2 compatibility update

Jul 24, 2020

Requires php 7.0+

Now depends on Standard Library by Xon

Supports XF2.2+

Reactions: WoodiE and yin9

3.2.2 - Bugfix update

Apr 10, 2020

Fix "Undefined index: match_sequence" error when "Force Reject" option is enabled

We value your privacy

We use essential cookies to make this site work, and optional cookies to enhance your experience.

See further information and configure your preferences

Accept all cookies Reject optional cookies
Essential cookies

These cookies are required to enable core functionality such as security, network management, and accessibility. You may not reject these.

Optional cookies

We deliver enhanced functionality for your browsing experience by setting these cookies. If you reject them, enhanced functionality will be unavailable.

Third-party cookies

Cookies set by third parties may be required to power functionality in conjunction with various service providers for security, analytics, performance or advertising purposes.

Detailed cookie usage

Privacy policy

Password Tools 3.11.1

We value your privacy