Not planned ACP Tool - Reset & Alert users of weak passwords


Well-known member
It would be handy to have an ACP tool to reset & alert user accounts with weak passwords.

Since XF does not currently have any type of PW complexity logic the tool could start off with something basic such as if the user PW & user name are the same. If the condition is found then the PW could be changed to something random and then an alert generated to the user that their password was changed for security reasons & that they need to reset it (to keep it simple, a link to the existing XF forgot password process).

If XF gains PW complexity tools in the future then the tool to check for weak passwords would ideally be updated to check against the defined complexity rules.


Well-known member
Passwords are hashed, this is a one way process. Without brute forcing it's impossible to find the users original password.


Well-known member
username = password is a ridiculously small edge case for "insecure" passwords. That would just provide a false sense of security.
... And yet it happens to the point that a different forum platform offers exactly that check in the ACP. Shocking.


XenForo developer
Staff member
Well what he says is correct -- it doesn't do anything about "password", "123456", "letmein" or all other manner of common passwords. They simply can't be checked unless you want to test only against a specific list. Even so, we use key stretching to make checking a password intentionally slow (this helps prevent brute forcing if the password hash is compromised). If it takes 0.5 seconds to check a single password and you have 10,000 users, you're looking at 5000 seconds to check the username case (likely at least 90 minutes with overhead). More for other common passwords and likely pushing slightly dubious value to check against a very very small list like that.

You mentioned checking against complexity rules which would be things like length, character "class" usage, etc. That is impossible to check against unless you have the original password. So you either need to block setting the password or do something when they login.

So in terms of an ACP tool, I don't think this would happen.

Chris D

XenForo developer
Staff member
So you either need to block setting the password or do something when they login.
This is a much better way. Prevention is better than the cure etc. So, basically, it should not be possible to set weak passwords. Some sort of password complexity rules would be welcomed if it can prevent the weak passwords to begin with.