1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Not Planned ACP Tool - Reset & Alert users of weak passwords

Discussion in 'Closed Suggestions' started by Kevin, Aug 15, 2014.

  1. Kevin

    Kevin Well-Known Member

    It would be handy to have an ACP tool to reset & alert user accounts with weak passwords.

    Since XF does not currently have any type of PW complexity logic the tool could start off with something basic such as if the user PW & user name are the same. If the condition is found then the PW could be changed to something random and then an alert generated to the user that their password was changed for security reasons & that they need to reset it (to keep it simple, a link to the existing XF forgot password process).

    If XF gains PW complexity tools in the future then the tool to check for weak passwords would ideally be updated to check against the defined complexity rules.
     
  2. md_5

    md_5 Well-Known Member

    Impossible.
    Passwords are hashed, this is a one way process. Without brute forcing it's impossible to find the users original password.
     
  3. Kevin

    Kevin Well-Known Member

    Hmmmmm..... compare the hashed username to the password... yep, impossible.
     
  4. md_5

    md_5 Well-Known Member

    username = password is a ridiculously small edge case for "insecure" passwords. That would just provide a false sense of security.
     
  5. Kevin

    Kevin Well-Known Member

    ... And yet it happens to the point that a different forum platform offers exactly that check in the ACP. Shocking.
     
  6. Mike

    Mike XenForo Developer Staff Member

    Well what he says is correct -- it doesn't do anything about "password", "123456", "letmein" or all other manner of common passwords. They simply can't be checked unless you want to test only against a specific list. Even so, we use key stretching to make checking a password intentionally slow (this helps prevent brute forcing if the password hash is compromised). If it takes 0.5 seconds to check a single password and you have 10,000 users, you're looking at 5000 seconds to check the username case (likely at least 90 minutes with overhead). More for other common passwords and likely pushing slightly dubious value to check against a very very small list like that.

    You mentioned checking against complexity rules which would be things like length, character "class" usage, etc. That is impossible to check against unless you have the original password. So you either need to block setting the password or do something when they login.

    So in terms of an ACP tool, I don't think this would happen.
     
    Walter likes this.
  7. Chris D

    Chris D XenForo Developer Staff Member

    This is a much better way. Prevention is better than the cure etc. So, basically, it should not be possible to set weak passwords. Some sort of password complexity rules would be welcomed if it can prevent the weak passwords to begin with.
     
  8. Kevin

    Kevin Well-Known Member

    Sounds good to me. ;)
     

Share This Page