Resource icon

Password Tools 3.9.0

No permission to download
Getting the following error: "API failure when attempting to validate password, please try again shortly" that traces to the pwned password validation. This just started in the last week.
 
Your server is likely being blocked by the pwned password service. Nothing I can do about that.
 
Apparently the pwned service now requires you to purchase an api key if you are requesting more than every 1500ms or something, it's $3.5 a month. I'm not seeing where to plug that in however.
 

Authorisation​

Authorisation is required for all APIs that enable searching HIBP by email address, namely retrieving all breaches for an account and retrieving all pastes for an account. An HIBP subscription key is required to make an authorised call and can be obtained on the API key page. The key is then passed in a "hibp-api-key" header:

GET https://haveibeenpwned.com/api/v3/{service}/{parameter} hibp-api-key: [your key]
 
Also getting this error in the server logs despite pwned not being enabled at this time

Stack trace​

#0 src/XF.php(219): XF\Error->logError('cURL error 56: ...', false)
#1 src/addons/SV/PasswordTools/XF/Entity/UserAuth.php(227): XF::logError('cURL error 56: ...')
#2 src/addons/SV/PasswordTools/XF/Entity/UserAuth.php(150): SV\PasswordTools\XF\Entity\UserAuth->getPwnedPrefixMatches('08B70', 1657989432, false)
#3 src/addons/SV/PasswordTools/XF/Service/User/Login.php(37): SV\PasswordTools\XF\Entity\UserAuth->isPwnedPassword('*****', 0, false)
#4 src/XF.php(377): SV\PasswordTools\XF\Service\User\Login->SV\PasswordTools\XF\Service\User\{closure}()
#5 src/XF/Mvc/Dispatcher.php(158): XF::triggerRunOnce(true)
#6 src/XF/Mvc/Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#7 src/XF/App.php(2353): XF\Mvc\Dispatcher->run()
#8 src/XF.php(524): XF\App->run()
#9 index.php(20): XF::runApp('XF\\Pub\\App')
#10 {main}

Request state​

array(4) {
["url"] => string(12) "/login/login"
["referrer"] => string(28) "https://www.bladeforums.com/"
["_GET"] => array(1) {
["/login/login"] => string(0) ""
}
["_POST"] => array(5) {
["_xfToken"] => string(8) "********"
["login"] => string(6) "tgmr05"
["password"] => string(8) "********"
["remember"] => string(1) "1"
["_xfRedirect"] => string(28) "https://www.bladeforums.com/"
}
}
 
Apparently the pwned service now requires you to purchase an api key if you are requesting more than every 1500ms or something, it's $3.5 a month. I'm not seeing where to plug that in however.
You haven't given the actual connection error, this actually matters for determining the issue.

The pwned password api check is unrelated to that API key.

Also getting this error in the server logs despite pwned not being enabled at this time
Disable the "On login; alert the user if they have a known compromised password" option to fully disabled the pwned password integration.

This error is unrelated to the the pwned password API, you appear to be using an outbound HTTP proxy setup which isn't working correctly.
 
Where would I find the connection error as I do not see it in the error codes being generated in the Xenforo server error log
ErrorException: cURL error 56: Received HTTP code 500 from proxy after CONNECT
The error string is indicating it is a proxy error.
 
Xon is there going to be a place to plug in the api key for haveibeenpwned since we generate so many requests?
The ranged look up doesn't require an API key, even for heavy query loads. Further, the add-on caches the looked up hash chunks for ~7 days which dramatically reduces the number of requests.
 
This tool seems to be working well as far when a user tries to change his password. But what I really need is to be able to "force" all of my users to change their password "if" their password doesn't meet the criteria I set. Is there a way to do this? TiA
 
The password complexity and other rules can only be checked when a login event (or registration event) occurs as this is the only time the non-hashed password is known.

This add-on already supports doing a haveibeenpwned check on login, which does enable pushing the user to change from a known compromised password and force email 2fa is no other 2fa is setup.
 
The password complexity and other rules can only be checked when a login event (or registration event) occurs as this is the only time the non-hashed password is known.

This add-on already supports doing a haveibeenpwned check on login, which does enable pushing the user to change from a known compromised password and force email 2fa is no other 2fa is setup.
That's great! Though I don't completely understand. Could you point me in the direction of instructions on how to set up haveibeenpwned?
 
That's great! Though I don't completely understand. Could you point me in the direction of instructions on how to set up haveibeenpwned?
Ensure "pwned password password validation" is set under "Password check types", and check "On login; alert the user if they have a known compromised password". Then consider if you want "Force email two factor authentication on compromised password" to be used
 
Ensure "pwned password password validation" is set under "Password check types", and check "On login; alert the user if they have a known compromised password". Then consider if you want "Force email two factor authentication on compromised password" to be used
I've got those checked. But it sounds like those are for known compromised passwords. How do I force them to increase the password strength if their password is weak? And, What does password cache time do? Thanks!
 

Attachments

  • Screen Shot 2022-10-24 at 8.32.22 PM.webp
    Screen Shot 2022-10-24 at 8.32.22 PM.webp
    70.6 KB · Views: 4
I've got those checked. But it sounds like those are for known compromised passwords. How do I force them to increase the password strength if their password is weak? And, What does password cache time do? Thanks!
That isn't supported, the password cache time is how often hash chunks are fetched from haveibeenpwned and is to limit how much traffic is required. I recommend 5-7 days for that which should be the default.

There isn't really much point on forcing password reset for weak passwords, they are very likely to be part of known compromised passwords and will be detected that way.
 
Top Bottom