Resource icon

Password Tools 2.3.5

No permission to download
Overview FAQ Updates (14) Reviews (7) History Discussion
Pwned password integration
Click to expand...

Does that mean a User Password is send over the internet and compared to other Passwords on multiple servers? Isn't that increasing a risk of someone outside in control of those servers being able to "tap in" the data flow and retrieve passwords? How likely realistic is my assumption?
 
Freelancer said:
Does that mean a User Password is send over the internet and compared to other Passwords on multiple servers? Isn't that increasing a risk of someone outside in control of those servers being able to "tap in" the data flow and retrieve passwords? How likely realistic is my assumption?
Click to expand...
This is why the update says:
It creates a hash of the password, then submits a small piece (the first 5 characters) to the API service (via HTTPS). The API service then returns all known password hashes that start with that prefix.

Finally, this is a configurable so admins can turn the feature off.
 
RobinHood said:
It's built into 1Password now too

https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-with-1password/
Click to expand...

Since you've mentioned it, not only has 1Password also integrated Pwned Passwords into their application, Mozilla Firefox will be soon, Wordpress security plug-in Wordfence does, bittylicious does, Laravel does, and there are already many other user created tools to do the same on Github and plenty other services I'm sure.

Huge thanks to @Xon for working with me on this project and adding this feature so that we can now say, Xenforo also has integration with Pwned Passwords!

Who knows maybe @Mike will consider adding a similar feature into the base of Xenforo as this is one of those features that not only keep forum owners a bit more secure but also their users more secure by discouraging them from re-using passwords that are already well known from confirmed breaches per Have I Been Pwned. ;)

Thanks again @Xon for your work and knocking this out so quickly. The Pwned Passwords feature works perfectly and the addition of zxcvb is only icing on the cake.
 
Are existing members alerted it their password is too weak or is in the hibp DB?

What does it mean when the top field has a red X and the bottom password field has a green checkmark? The password is 'very strong'.
 
Last edited:
Alfa1 said:
Are existing members alerted it their password is too weak or is in the hibp DB?
Click to expand...
Nope, it only triggers on a password change/set.

What does it mean when the top field has a red X and the bottom password field has a green checkmark? The password is 'very strong'.
Click to expand...
I need to add some on-hover text.

The bottom checkmark means it matches, while the top is if it is valid. If it says 'very strong' it should be ok. Can you send me some details via PM?

iamjudd said:
Any plans for a xf2 version?
Click to expand...
Eventually.
 
eva2000 said:
nice @Xon would this in anyway conflict with Dragonbyte Security's feature I wonder @DragonByte Tech ?

View attachment 170592
Click to expand...
Specifically for that page no. For the general HIBP lookup, I make a call to their servers querying whether the username or email has been found in their DB, I do not do any form of partial password hash transfer like 1Password or this would do.


Fillip
 
You must log in or register to reply here.

Similar threads

Saarbruecken
Fixed Password to Elastic Search is shown as plain text in Server Error Log
Replies
8
Views
242
Saarbruecken
Saarbruecken
Painbaker
[XB] Password Change Permission [Deleted]
Replies
1
Views
18
Painbaker
Painbaker
Ozzy47
[OzzModz] Password Change Permissions [Deleted]
Replies
1
Views
8
Ozzy47
Ozzy47
CZ Eddie
  • Question Question
XF 2.3 A password reset request has been emailed to you. Please follow the instructions in that email.
Replies
0
Views
34
CZ Eddie
CZ Eddie
D
Password Tools - FRENCH translation [Deleted]
Replies
3
Views
473
Ozzy47
Ozzy47
Back
Top Bottom