Password Tools 3.7.5

[Joe Link]

2.7.4 - Bugfix update

This should be 3.7.4

 

[Forsaken]

This should be 3.7.4

This is only the title for the update; update itself is labeled as 3.7.4.

 

[Xon]

I do that every so often, will try to get that fixed

 

[Joe Link]

No worries, just wanted to give you a heads up

 

[Nicolas FR]

Hello, is this add-on usergroups based ?
If i want to force only admins and modos to get this kind of strong password for example ?

 

[Xon]

This is add-on is global and isn't user-group based.

 

[Ludachris]

Hey @Xon, I have an influx of member accounts getting hacked, likely due to insecure passwords. If I install this add-on, will I be able to protect against that from happening? Will this add-on run checks on all existing accounts to see if their passwords are too simple? Or will it only run checks against active or new accounts?

 

[Xon]

I have an influx of member accounts getting hacked, likely due to insecure passwords.

I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.

 

[Ludachris]

I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.

When will system realize that a user has a compromised pw? When they log in?

 

[Xon]

When will system realize that a user has a compromised pw? When they log in?

Yup, on login. Which includes when a spammer manages to login with another account.

 

[Ludachris]

If a spammer/hacker gets into the account, can't they change the email address to essentially take over the account? How would we recover it for the member? Check the account history actions and change the email address back?

 

[Xon]

The Email 2fa occurs before any interaction with the account, this blocks the spammer doing anything unless they can also compromise the email address and use the email 2fa code. But if that was the case the entire account would be taken over anyway.

 

[ActorMike]

Just wanted to confirm we had this happen today as well with a user from back in 2018 who never posted.

They seem to be using this same crypto scam/spam seen below, so you can censor that URL too. I've seen it posted on other XF forums today.

 

[Ludachris]

I've found that other XF admins are dealing with the same thing and have reported the same IP addresses.

IP addresses used:

Moldova	Netherlands	Netherlands	Netherlands
109.107.166.230	5.61.55.218	37.220.87.25	45.136.48.135

 

[ActorMike]

Thanks for sharing same here on the first one. I blocked 109.107.166.0/24 on our firewall since they are also hitting Wordpress sites per- https://cleantalk.org/blacklists/109.107.166.230

 

[Stuart Wright]

I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.

I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.

 

[Xon]

I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.

Can you set these options?

Pwned password minimum count (hard): 1
Pwned password minimum count (soft): 0
Pwned password cache time: 3

The defaults are a little more tolerant, and I suspect there may be a large breach which hasn't made it to haveibeenpwned yet

 

[Stuart Wright]

Can you set these options?

Pwned password minimum count (hard): 1
Pwned password minimum count (soft): 0
Pwned password cache time: 3

The defaults are a little more tolerant, and I suspect there may be a large breach which hasn't made it to haveibeenpwned yet

Thanks. Done and will keep an eye on it, of course.

 

[sunsky7]

There is another thread about this week's forum user takeovers here if anyone is interested in discussing it.

Spammers posting through existing accounts with no need to login?

And, worse, with no need of stealing such account. The fact is that since a week ago or so I am getting some spam messages posted by users with little or no activity, but registered years ago. All IP's are located next, and the message is tipically a link to a Telegram channel related to...

xenforo.com

 

[ActorMike]

Thanks. Done and will keep an eye on it, of course.

You need to block the IP addresses on you server as noted above- https://xenforo.com/community/threads/password-tools.154256/post-1609790

I actually block the entire block related to the specific IP.