XF 1.4 Best Way to Invalidate Password

md_5

md_5

Well-known member
As part of my upgrade to XenForo 1.5 I need to deal with the fact that existing two factor accounts (via an addon) cannot be imported to the XenForo two factor auth system.
From a security point of view, the sanest thing to do seems to be to force a password reset on users that currently have two factor auth enabled.
What is the best way to do this? What I have in mind is simply batch updating their xf_user_authenticate data to the following:
Code: 
a:1:{s:4:"hash";s:1:"!";}
There is no way that a password hash can be "!", so this should be safe, but I am curious if anyone had better ideas.
 
Sort by date Sort by votes
I would still say a script that causes a password reset in bulk is a better option. I believe there may be an add-on that does it, already, but it appears to do it either for one user or all users so it's still not quite what you need. Though I imagine the author might be able to help you adjust it for just the users you need: Force Password Change

That said, the approach you have posted may work, it's just not ideal. If you went down that route, it would be best to rigorously test it just to ensure it behaves how you want it to.
 
Upvote 0 Downvote
Chris D said:
I would still say a script that causes a password reset in bulk is a better option. I believe there may be an add-on that does it, already, but it appears to do it either for one user or all users so it's still not quite what you need. Though I imagine the author might be able to help you adjust it for just the users you need: Force Password Change

That said, the approach you have posted may work, it's just not ideal. If you went down that route, it would be best to rigorously test it just to ensure it behaves how you want it to.
Click to expand...
That addon doesn't actually force a reset by logging them out however.

My issue is that I am concerned that by simply deleting all 2fa accounts, I would be compromising the security of my users, hence I need to force them to use their email initially as a reset method.

Since XenForo doesn't seem to have a "force reset" flag, I think the above SQL should work.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

kontrabass
  • Question Question
XF 2.2 Possible to check value of http header with conditionals?
Replies
0
Views
156
kontrabass
kontrabass
Konon
  • Question Question
Best way to migrate from IPB
Replies
4
Views
410
Konon
Konon
SpecialK
  • Solved
XF 2.2 Best way to handle forced login via connected account?
Replies
8
Views
722
mattrogowski
mattrogowski
TimWilson
Identifying ACTUAL inactive accounts, and requiring 2FA
Replies
4
Views
390
woody
woody
alexm
  • Question Question
XF 2.2 Is there a way of getting users dates on the last password reset?
Replies
4
Views
733
digitalpoint
digitalpoint
Top Bottom