Resource icon

Password Tools 3.9.0

No permission to download
Is there any way to do some kind of health check against a compromised password database, for all existing accounts?
If it finds a compromised account in the XF database with matching password, it could automatically force a password reset.
The alert can only be triggered at login, as this is when a non-encrypted copy of the password exists to be checked.
 
What about a XF-side forced password change for any account that hasn't been active for a certain period of time? ie: Member1234 hasn't logged in for X months, and the forum automatically/randomly assigns their account a 20-character password...and a notice upon their next visit to why their password changed.
 
The alert can only be triggered at login, as this is when a non-encrypted copy of the password exists to be checked.
This would be a very cool feature. That way we could inform the user, that he/she is using a compromised password. Nice service!
If we could force a password reset, the bot won't be able to login.
 
Q? Is there a definition out there that explains the general differences between Very Weak, Weak, Medium, Strong, Very Strong?? I have searched and not found anything obvious (other than FedEx seems to use that 5 level ranking...)

I just bumped my minimum from "weak" to "medium" and my inbox is blowing up :) (clearly, quite a few members failed....)
 
Not really, it is based on whatever criteria zxcvbn judges it by.

Personally I've just increase the minimum password length and require it to pass the haveibeenpwned checks
 
What about a XF-side forced password change for any account that hasn't been active for a certain period of time? ie: Member1234 hasn't logged in for X months, and the forum automatically/randomly assigns their account a 20-character password...and a notice upon their next visit to why their password changed.
I kept thinking XF already had that feature, but I might be thinking of something similar in the Dragonbytes Security add-on (a forced reset of some kind). I'd have to check, though. With my memory, I could be imagining things right about now. 😁 I still recommend that add-on though, even if you have this one, since it adds a good layer of security so that your staff accounts are harder to compromise.
 
Xon updated Password Tools with a new update entry:

3.6.1 - Feature update

Thanks to @NamePros for sponsoring this update.
  • Update compromised password alert text to be less awkward
  • On updating passwords, remove any compromised password alerts to avoid user confusion
  • Add "Force email two factor authentication on compromised password" option (default disabled)
  • Add "Pwned password minimum count (soft)" option.
    This allows a user to change a password to a known compromised value which is under a given number of known hits. This...

Read the rest of this update entry...
 
Last edited:
This add-on does require updates for php 8.1 compatibility, I'm hopeful it will be out within a week or so.
 
Hello

do you have any idea why I have below error?

Stack trace​

#0 src/XF.php(218): XF\Error->logError('cURL error 28: ...', false)
#1 src/addons/SV/PasswordTools/XF/Entity/UserAuth.php(210): XF::logError('cURL error 28: ...')
#2 src/addons/SV/PasswordTools/XF/Entity/UserAuth.php(133): SV\PasswordTools\XF\Entity\UserAuth->getPwnedPrefixMatches('072F7', 1645163944, false)
#3 src/addons/SV/PasswordTools/XF/Service/User/Login.php(36): SV\PasswordTools\XF\Entity\UserAuth->isPwnedPassword('*****', 0, false)
#4 src/XF.php(370): SV\PasswordTools\XF\Service\User\Login->SV\PasswordTools\XF\Service\User\{closure}()
#5 src/XF/Mvc/Dispatcher.php(158): XF::triggerRunOnce(true)
#6 src/XF/Mvc/Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#7 src/XF/App.php(2351): XF\Mvc\Dispatcher->run()
#8 src/XF.php(517): XF\App->run()
#9 index.php(20): XF::runApp('XF\\Pub\\App')
#10 {main}
 
The actual error tells you what happened, but this is a curl library failure. Either due to DNS, transient network issues or whatever.

This error shouldn't block logging in, but if it is a too-long a timeout it might cause the login page to fail.
 
Xon updated Password Tools with a new update entry:

3.7.1 - Feature update

  • Require XenForo 2.2+, drop XF2.1 support
  • Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
  • Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
    • Update new install option defaults to more recommend values:
    • Enforce password complexity for admins
    • Enable "Length...

Read the rest of this update entry...
 
Back
Top Bottom