Resource icon

Password Tools 3.9.0

No permission to download
I'm running your add-on on top of Xenforo with roughy 50k members. I've set fairly strong password requirements (10 characters mixed) which works great for new users and/or members who wish to change their password. However, it seems like a hacker has been targeting my site and phishing/running a password breaker trying to gain access to weak accounts.

My developer has the ability to log everyone out.

  • Is there a way to force them to select a new password if it doesn't meet the criteria I set in your add-on?
  • Can we force the confirmation via verification of the email on file (without forcing everyone to use 2FA)?

Your assistance is appreciated.
 
Last edited:
However, it seems like a hacker has been targeting my site and phishing/running a password breaker trying to gain access to weak accounts.
That might be the common exploit some of us here had earlier in the year. Dormant accounts would suddenly be reused on our forums. Pretty sure these are bots using leaked user/password combinations that are out there on the Internet.

I installed Login Spaminator and it eliminated the problem.
 
That might be the common exploit some of us here had earlier in the year. Dormant accounts would suddenly be reused on our forums. Pretty sure these are bots using leaked user/password combinations that are out there on the Internet.

I installed Login Spaminator and it eliminated the problem.
Thank you!

Is there a way to force users to select a new password if it doesn't meet the criteria I set in the password tools add-on?
 
Thank you!

Is there a way to force users to select a new password if it doesn't meet the criteria I set in the password tools add-on?
I do not believe it's possible for these add-ons to know passwords when they have been set.

What you could possibly do, is to set a user promotion with User has not visited for at least X days and force a password reset for the an "Inactive" usergroup. I do not know how well this would work as I do not know if the inactive group would work if they do end up becoming active again.

I use DragonByte Security, and that has an option to force passwords upon last visit time.
 
I'm running your add-on on top of Xenforo with roughy 50k members. I've set fairly strong password requirements (10 characters mixed) which works great for new users and/or members who wish to change their password. However, it seems like a hacker has been targeting my site and phishing/running a password breaker trying to gain access to weak accounts.
Forced email 2fa on login when it is detected the user has a known compromised password (without 2fa enabled) was actually designed to help with that.

Just be prepared for a bunch of support queries over people who hate the idea they can't reused known broken passwords

Is there a way to force them to select a new password if it doesn't meet the criteria I set in your add-on?
Not with this addon
 
Xon updated Password Tools with a new update entry:

3.8.2 - Bugfix & Maintenance update

Thanks to @NamePros for this update.
  • Fix changing user entity while a write is pending in some cases
  • Add "Use rejected password fragments in password meter" option (default disabled).
    Take rejected password fragments into consideration when showing the password strength meter to the user.
    Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling...

Read the rest of this update entry...
 
Last edited:
Top Bottom