1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 Best Way to Invalidate Password

Discussion in 'XenForo Questions and Support' started by md_5, Aug 24, 2015.

  1. md_5

    md_5 Well-Known Member

    As part of my upgrade to XenForo 1.5 I need to deal with the fact that existing two factor accounts (via an addon) cannot be imported to the XenForo two factor auth system.
    From a security point of view, the sanest thing to do seems to be to force a password reset on users that currently have two factor auth enabled.
    What is the best way to do this? What I have in mind is simply batch updating their xf_user_authenticate data to the following:
    There is no way that a password hash can be "!", so this should be safe, but I am curious if anyone had better ideas.
  2. Chris D

    Chris D XenForo Developer Staff Member

    You could change their password for them, then send them a password reset via the reset password link on the forum.
  3. md_5

    md_5 Well-Known Member

    Nah needs to be done in bulk for ~200 users with 2fa enabled.
  4. Chris D

    Chris D XenForo Developer Staff Member

    I would still say a script that causes a password reset in bulk is a better option. I believe there may be an add-on that does it, already, but it appears to do it either for one user or all users so it's still not quite what you need. Though I imagine the author might be able to help you adjust it for just the users you need: Force Password Change

    That said, the approach you have posted may work, it's just not ideal. If you went down that route, it would be best to rigorously test it just to ensure it behaves how you want it to.
  5. md_5

    md_5 Well-Known Member

    That addon doesn't actually force a reset by logging them out however.

    My issue is that I am concerned that by simply deleting all 2fa accounts, I would be compromising the security of my users, hence I need to force them to use their email initially as a reset method.

    Since XenForo doesn't seem to have a "force reset" flag, I think the above SQL should work.

Share This Page