Resource icon

Password Tools 3.9.0

No permission to download
@Xon

Code:
ParseError: syntax error, unexpected token "match", expecting variable src/addons/SV/PasswordTools/_vendor/mkopinsky/zxcvbn-php/src/Matcher.php:65
Сгенерирована пользователем: Неизвестная учётная запись 23.12.2020 в 23:19
Code:
#0 src/vendor/composer/ClassLoader.php(322): Composer\Autoload\includeFile('src/ad...')
#1 src/addons/SV/PasswordTools/_vendor/mkopinsky/zxcvbn-php/src/Zxcvbn.php(34): Composer\Autoload\ClassLoader->loadClass('ZxcvbnPhp\\Match...')
#2 src/addons/SV/PasswordTools/XF/Entity/UserAuth.php(86): ZxcvbnPhp\Zxcvbn->__construct()
#3 src/addons/SV/PasswordTools/XF/Entity/UserAuth.php(40): SV\PasswordTools\XF\Entity\UserAuth->checkPasswordWithZxcvbn('*****')
#4 src/addons/SV/PasswordTools/XF/Entity/UserAuthCompatPatch.php(36): SV\PasswordTools\XF\Entity\UserAuth->svCheckPasswordOnSet('*****', true, Object(Closure))
#5 src/XF/Service/User/PasswordReset.php(64): SV\PasswordTools\XF\Entity\UserAuthCompatPatch->setPassword('*****', NULL, true, true)
#6 src/XF/Pub/Controller/LostPassword.php(91): XF\Service\User\PasswordReset->resetLostPassword('*****')
#7 src/XF/Mvc/Dispatcher.php(350): XF\Pub\Controller\LostPassword->actionConfirm(Object(XF\Mvc\ParameterBag))
#8 src/XF/Mvc/Dispatcher.php(257): XF\Mvc\Dispatcher->dispatchClass('XF:LostPassword', 'Confirm', Object(XF\Mvc\RouteMatch), Object(XF\Pub\Controller\LostPassword), NULL)
#9 src/XF/Mvc/Dispatcher.php(113): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(XF\Pub\Controller\LostPassword), NULL)
#10 src/XF/Mvc/Dispatcher.php(55): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#11 src/XF/App.php(2300): XF\Mvc\Dispatcher->run()
#12 src/XF.php(488): XF\App->run()
#13 index.php(20): XF::runApp('XF\\Pub\\App')
#14 {main}
Code:
array(4) {
  ["url"] => string(54) "/lost-password/airflare.550/confirm?c=SayHqulEGtgKTesW"
  ["referrer"] => string(23) "https://smartsworld.ru/"
  ["_GET"] => array(2) {
    ["/lost-password/airflare_550/confirm"] => string(0) ""
    ["c"] => string(16) "SayHqulEGtgKTesW"
  }
  ["_POST"] => array(6) {
    ["password"] => string(8) "********"
    ["password_confirm"] => string(8) "********"
    ["_xfToken"] => string(8) "********"
    ["_xfRequestUri"] => string(54) "/lost-password/airflare.550/confirm?c=SayHqulEGtgKTesW"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}
 
@devserg that is a php8 compatibility issue with the zxcvbn password check. I need to update the library this add-on uses and that will require php7.2 minimum.
 
It does?

This should show an additional password complexity meter in various places the user can change passwords (in addition to stock locations in XF2.2+).

And the password complexity rules definitely apply when the user changes their password
 
It does?

This should show an additional password complexity meter in various places the user can change passwords (in addition to stock locations in XF2.2+).

And the password complexity rules definitely apply when the user changes their password
Ah, than I assume I got it the password criterias wrong. I thought the setting for admin passwords requires the user to have complex passwords (special chars aso.).

I assumed the password tool would use complex passwords right out of the box for all users, but t seems it´s only checking for length and common passwords. Any chance you´ld implement an option to force really complex passwords on all users, (Uppercase, lowercase, special chars etc)?
 
The default are fairly lax, just increase the zxcvbn minimum password complexity from very weak/weak to say "strong" will dramatically increase the required complexity for passwords.
 
The default are fairly lax, just increase the zxcvbn minimum password complexity from very weak/weak to say "strong" will dramatically increase the required complexity for passwords.
You´ll have a laugh on this - but that´s how it´s already configured. And still I had a user using the password "Passwortfeld" (passwortfield), which comes back as "Very strong password". Guess you see the problem ;)
 
Xon updated Password Tools with a new update entry:

3.5.0 - Feature update

  • Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
  • Add "On login; alert the user if they have a known compromised password" option (default enabled)
  • Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)

Read the rest of this update entry...
 
I can't see any reason why they would conflict. This add-on just adds an error to the standard process when trying to save a password that isn't allowed.
 
Feature request:

I'd place bets that forum users will use their username, or part of their username, in their password. Any means of forcing it to be unique from the username?
 
More thoughts:

Would it be possible to give members Alerts to change their passwords after a certain amount of time? ie: Your password has not been changed in 90 days. You can change your password here. (## of days is admin set) and remind every 30 days if they don't change.

It would also be nice to "force" a password reset if their password is ### days old? ie: Passwords are required to be changed every 365 days. Please change your password here.

Even fancier, an option to "exempt" the forced change and alerts if members use Two Factor Authentication.
 
It is no longer best practice to have timed password expiry. People will just write it down with a sticky note or append a '1' onto the password and increment that number.

I know I've done that in places before which had a nuts policy of forcing a password change every 25 days for a password you needed to use to unlock your computer at least 2-3 times a day.

Realistically, force a large minimum password length, and check with a compromised password database is the best that can be done to not promote bad practices.
 
Is there any way to do some kind of health check against a compromised password database, for all existing accounts?
If it finds a compromised account in the XF database with matching password, it could automatically force a password reset.

Reason I ask is we have had bots trying compromised accounts on our forum, and they succeeded multiple times. These accounts are then used for spam :(
 
Is there any way to do some kind of health check against a compromised password database, for all existing accounts?
If it finds a compromised account in the XF database with matching password, it could automatically force a password reset.

Reason I ask is we have had bots trying compromised accounts on our forum, and they succeeded multiple times. These accounts are then used for spam :(
Same issues here.
 
Top Bottom