Resource icon

Password Tools 2.3.5

No permission to download

Freelancer

Well-known member
Pwned password integration

Does that mean a User Password is send over the internet and compared to other Passwords on multiple servers? Isn't that increasing a risk of someone outside in control of those servers being able to "tap in" the data flow and retrieve passwords? How likely realistic is my assumption?
 

Xon

Well-known member
Does that mean a User Password is send over the internet and compared to other Passwords on multiple servers? Isn't that increasing a risk of someone outside in control of those servers being able to "tap in" the data flow and retrieve passwords? How likely realistic is my assumption?
This is why the update says:
It creates a hash of the password, then submits a small piece (the first 5 characters) to the API service (via HTTPS). The API service then returns all known password hashes that start with that prefix.

Finally, this is a configurable so admins can turn the feature off.
 

WoodiE

Well-known member

Since you've mentioned it, not only has 1Password also integrated Pwned Passwords into their application, Mozilla Firefox will be soon, Wordpress security plug-in Wordfence does, bittylicious does, Laravel does, and there are already many other user created tools to do the same on Github and plenty other services I'm sure.

Huge thanks to @Xon for working with me on this project and adding this feature so that we can now say, Xenforo also has integration with Pwned Passwords!

Who knows maybe @Mike will consider adding a similar feature into the base of Xenforo as this is one of those features that not only keep forum owners a bit more secure but also their users more secure by discouraging them from re-using passwords that are already well known from confirmed breaches per Have I Been Pwned. ;)

Thanks again @Xon for your work and knocking this out so quickly. The Pwned Passwords feature works perfectly and the addition of zxcvb is only icing on the cake.
 

Alpha1

Well-known member
Are existing members alerted it their password is too weak or is in the hibp DB?

What does it mean when the top field has a red X and the bottom password field has a green checkmark? The password is 'very strong'.
 
Last edited:

Xon

Well-known member
Are existing members alerted it their password is too weak or is in the hibp DB?
Nope, it only triggers on a password change/set.

What does it mean when the top field has a red X and the bottom password field has a green checkmark? The password is 'very strong'.
I need to add some on-hover text.

The bottom checkmark means it matches, while the top is if it is valid. If it says 'very strong' it should be ok. Can you send me some details via PM?

Any plans for a xf2 version?
Eventually.
 

DragonByte Tech

Well-known member
nice @Xon would this in anyway conflict with Dragonbyte Security's feature I wonder @DragonByte Tech ?

View attachment 170592
Specifically for that page no. For the general HIBP lookup, I make a call to their servers querying whether the username or email has been found in their DB, I do not do any form of partial password hash transfer like 1Password or this would do.


Fillip
 
Top