XF 1.4 Best Way to Invalidate Password

md_5

md_5

Well-known member
As part of my upgrade to XenForo 1.5 I need to deal with the fact that existing two factor accounts (via an addon) cannot be imported to the XenForo two factor auth system.
From a security point of view, the sanest thing to do seems to be to force a password reset on users that currently have two factor auth enabled.
What is the best way to do this? What I have in mind is simply batch updating their xf_user_authenticate data to the following:
Code: 
a:1:{s:4:"hash";s:1:"!";}
There is no way that a password hash can be "!", so this should be safe, but I am curious if anyone had better ideas.
 
Sort by date Sort by votes
I would still say a script that causes a password reset in bulk is a better option. I believe there may be an add-on that does it, already, but it appears to do it either for one user or all users so it's still not quite what you need. Though I imagine the author might be able to help you adjust it for just the users you need: Force Password Change

That said, the approach you have posted may work, it's just not ideal. If you went down that route, it would be best to rigorously test it just to ensure it behaves how you want it to.
 
Upvote 0 Downvote
Chris D said:
I would still say a script that causes a password reset in bulk is a better option. I believe there may be an add-on that does it, already, but it appears to do it either for one user or all users so it's still not quite what you need. Though I imagine the author might be able to help you adjust it for just the users you need: Force Password Change

That said, the approach you have posted may work, it's just not ideal. If you went down that route, it would be best to rigorously test it just to ensure it behaves how you want it to.
Click to expand...
That addon doesn't actually force a reset by logging them out however.

My issue is that I am concerned that by simply deleting all 2fa accounts, I would be compromising the security of my users, hence I need to force them to use their email initially as a reset method.

Since XenForo doesn't seem to have a "force reset" flag, I think the above SQL should work.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Steffen
  • Suggestion Suggestion
Invalidate Session on 2FA Activation/Change
Replies
1
Views
100
Kirby
K
B
  • Question Question
XF 2.2 What's the best way to embed video?
Replies
7
Views
105
bennylava
B
R
  • Question Question
XF 2.3 Best way to color the background?
Replies
6
Views
60
Robert9
R
C
Best way to install 2.3 on existing forum...
Replies
4
Views
201
cjwinternet
C
Martyn
Best way to "show/display" people who are no longer with us?
Replies
2
Views
57
Mendalla
Mendalla
Back
Top Bottom