Resource icon

Password Tools 3.7.5

No permission to download
Overview FAQ Updates (21) Reviews (2) History Discussion
Nicolas FR

Nicolas FR

Well-known member
Hello, is this add-on usergroups based ?
If i want to force only admins and modos to get this kind of strong password for example ?
 
Ludachris

Ludachris

Well-known member
Hey @Xon, I have an influx of member accounts getting hacked, likely due to insecure passwords. If I install this add-on, will I be able to protect against that from happening? Will this add-on run checks on all existing accounts to see if their passwords are too simple? Or will it only run checks against active or new accounts?
 
X

Xon

Well-known member
Ludachris said:
I have an influx of member accounts getting hacked, likely due to insecure passwords.
Click to expand...
I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.
 
Ludachris

Ludachris

Well-known member
Xon said:
I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.
Click to expand...
When will system realize that a user has a compromised pw? When they log in?
 
Ludachris

Ludachris

Well-known member
If a spammer/hacker gets into the account, can't they change the email address to essentially take over the account? How would we recover it for the member? Check the account history actions and change the email address back?
 
X

Xon

Well-known member
The Email 2fa occurs before any interaction with the account, this blocks the spammer doing anything unless they can also compromise the email address and use the email 2fa code. But if that was the case the entire account would be taken over anyway.
 
ActorMike

ActorMike

Well-known member
Just wanted to confirm we had this happen today as well with a user from back in 2018 who never posted.

They seem to be using this same crypto scam/spam seen below, so you can censor that URL too. I've seen it posted on other XF forums today.

spammer.jpg
 
Stuart Wright

Stuart Wright

Well-known member
Xon said:
I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.
Click to expand...
I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.
 
X

Xon

Well-known member
Stuart Wright said:
I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.
Click to expand...
Can you set these options?
Code: 
Pwned password minimum count (hard): 1
Pwned password minimum count (soft): 0
Pwned password cache time: 3

The defaults are a little more tolerant, and I suspect there may be a large breach which hasn't made it to haveibeenpwned yet :(
 
Stuart Wright

Stuart Wright

Well-known member
Xon said:
Can you set these options?
Code: 
Pwned password minimum count (hard): 1
Pwned password minimum count (soft): 0
Pwned password cache time: 3

The defaults are a little more tolerant, and I suspect there may be a large breach which hasn't made it to haveibeenpwned yet :(
Click to expand...
Thanks. Done and will keep an eye on it, of course.
 
S

sunsky7

Member
There is another thread about this week's forum user takeovers here if anyone is interested in discussing it.
xenforo.com

Spammers posting through existing accounts with no need to login?

And, worse, with no need of stealing such account. The fact is that since a week ago or so I am getting some spam messages posted by users with little or no activity, but registered years ago. All IP's are located next, and the message is tipically a link to a Telegram channel related to...
xenforo.com xenforo.com
 
You must log in or register to reply here.

Similar threads

Nicolas FR
Password Tools - FRENCH translation
Replies
0
Views
137
Nicolas FR
Nicolas FR
Lukas W.
Password Tools
7 8 9
Replies
165
Views
11K
Xon
X
Oblivion Knight
  • Locked
Nerdface
2
Replies
24
Views
5K
Oblivion Knight
Oblivion Knight
XenForo
  • Article
XenForo 2.1.1 & Add-ons Released plus XenForo Importers 1.2.0
Replies
4
Views
26K
XenForo
XenForo
XenForo
  • Article
XenForo 2.0.12 Released
Replies
0
Views
14K
XenForo
XenForo
Top