Password Tools 3.7.5

[cabref]

I'm using cloudflare and Blocked MOLDOVA via WAF settings.

 

[Xon]

I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.

I've found some bugs where the forced email 2fa didn't reliably kick in. I should have an update out sometime soon.

The next update will tighten up a number of the default options.

 

[Xon]

Xon updated Password Tools with a new update entry:

3.7.5 - Bugfix update

• Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
• Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
• Rename various options to be better searchable
• Adjust various option defaults to be more robust.
  • 'Minimum password length' from 8 => 10 characters
  • 'Minimum password strength' from 'very weak' to 'weak'
  • 'Pwned password...

Read the rest of this update entry...

 

[Ludachris]

I'm using this add-on now for one of my sites. And yes, I'm getting users who are contacting me when trying to reset their password, letting me know that the email on file for their account is no longer accessible. Does the system show them what that old email address is without them being logged in? Or is it only displaying it to the user when they're logged in?

If it's displaying it to them when they're not logged in, via the password recovery process for example, that would be a problem. What's to prevent anyone from trying to login to another person's user account, which would allow them to see what email address is on file for that account? That's typically the one piece of information I can use to have someone confirm before helping them regain access to their account. Hopefully that's not how the system works.

 

[Xon]

It is just the standard email 2fa flow, that is being triggered differently

 

[Ludachris]

It is just the standard email 2fa flow, that is being triggered differently

Does it show a non-logged in user the email address for the account they are trying to log into?

 

[Joan1211]

Hi,
If after intalling this add-on I decide to desinstall it.
Will it be a mess or will it be a clean desinstall?

Will I have to perform any manual clean up?
Thx

 

[Xon]

Like any XF add-on the uninstall process should remove everything, and it is a bug to be fixed if it doesn't

 

[Joan1211]

ok, Thank you!

 

[elsparkodiablo]

Xon, here's a feature request - can you put in a checkbox where, when enabled, if someone's password has been changed in the last [x] number of days, their profile shows a banner or flag saying "RECENTLY UPDATED" or similar?