Not planned ACP Tool - Reset & Alert users of weak passwords

Kevin · Aug 15, 2014

It would be handy to have an ACP tool to reset & alert user accounts with weak passwords.

Since XF does not currently have any type of PW complexity logic the tool could start off with something basic such as if the user PW & user name are the same. If the condition is found then the PW could be changed to something random and then an alert generated to the user that their password was changed for security reasons & that they need to reset it (to keep it simple, a link to the existing XF forgot password process).

If XF gains PW complexity tools in the future then the tool to check for weak passwords would ideally be updated to check against the defined complexity rules.

md_5 · Aug 16, 2014

Impossible.
Passwords are hashed, this is a one way process. Without brute forcing it's impossible to find the users original password.

Kevin · Aug 17, 2014

md_5 said:
Impossible.
Passwords are hashed, this is a one way process. Without brute forcing it's impossible to find the users original password.

Hmmmmm..... compare the hashed username to the password... yep, impossible.

md_5 · Aug 17, 2014

Kevin said:
Hmmmmm..... compare the hashed username to the password... yep, impossible.

username = password is a ridiculously small edge case for "insecure" passwords. That would just provide a false sense of security.

Kevin · Aug 17, 2014

md_5 said:
username = password is a ridiculously small edge case for "insecure" passwords. That would just provide a false sense of security.

... And yet it happens to the point that a different forum platform offers exactly that check in the ACP. Shocking.

Mike · Aug 17, 2014

Well what he says is correct -- it doesn't do anything about "password", "123456", "letmein" or all other manner of common passwords. They simply can't be checked unless you want to test only against a specific list. Even so, we use key stretching to make checking a password intentionally slow (this helps prevent brute forcing if the password hash is compromised). If it takes 0.5 seconds to check a single password and you have 10,000 users, you're looking at 5000 seconds to check the username case (likely at least 90 minutes with overhead). More for other common passwords and likely pushing slightly dubious value to check against a very very small list like that.

You mentioned checking against complexity rules which would be things like length, character "class" usage, etc. That is impossible to check against unless you have the original password. So you either need to block setting the password or do something when they login.

So in terms of an ACP tool, I don't think this would happen.

Chris D · Aug 17, 2014

Mike said:
So you either need to block setting the password or do something when they login.

This is a much better way. Prevention is better than the cure etc. So, basically, it should not be possible to set weak passwords. Some sort of password complexity rules would be welcomed if it can prevent the weak passwords to begin with.

Kevin · Aug 17, 2014

Mike said:
So you either need to block setting the password or do something when they login.

Sounds good to me.

Not planned ACP Tool - Reset & Alert users of weak passwords

Kevin

Well-known member

md_5

Well-known member

Kevin

Well-known member

md_5

Well-known member

Kevin

Well-known member

Mike

XenForo developer

Chris D

XenForo developer

Kevin

Well-known member

Similar threads

We value your privacy