Resource icon

Password Tools 3.9.0

No permission to download
Hello, is this add-on usergroups based ?
If i want to force only admins and modos to get this kind of strong password for example ?
 
Hey @Xon, I have an influx of member accounts getting hacked, likely due to insecure passwords. If I install this add-on, will I be able to protect against that from happening? Will this add-on run checks on all existing accounts to see if their passwords are too simple? Or will it only run checks against active or new accounts?
 
I have an influx of member accounts getting hacked, likely due to insecure passwords.
I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.
 
I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.
When will system realize that a user has a compromised pw? When they log in?
 
If a spammer/hacker gets into the account, can't they change the email address to essentially take over the account? How would we recover it for the member? Check the account history actions and change the email address back?
 
The Email 2fa occurs before any interaction with the account, this blocks the spammer doing anything unless they can also compromise the email address and use the email 2fa code. But if that was the case the entire account would be taken over anyway.
 
Just wanted to confirm we had this happen today as well with a user from back in 2018 who never posted.

They seem to be using this same crypto scam/spam seen below, so you can censor that URL too. I've seen it posted on other XF forums today.

spammer.jpg
 
I've seen this affect a number of XenForo forums over the last week, and yes it is absolutely due to compromised passwords.

You'll need to turn on the "Force email two factor authentication on compromised password". This will force the user to use email 2fa if they don't have 2fa setup and they login and the password is detected as compromised.

Warning; this will general support requests as you'll find people realise they didn't have a working email address linked to their account.
I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.
 
I have this installed and ticked and we're still getting logins on old accounts from the spammer with compromised credentials.
Can you set these options?
Code:
Pwned password minimum count (hard): 1
Pwned password minimum count (soft): 0
Pwned password cache time: 3

The defaults are a little more tolerant, and I suspect there may be a large breach which hasn't made it to haveibeenpwned yet :(
 
Can you set these options?
Code:
Pwned password minimum count (hard): 1
Pwned password minimum count (soft): 0
Pwned password cache time: 3

The defaults are a little more tolerant, and I suspect there may be a large breach which hasn't made it to haveibeenpwned yet :(
Thanks. Done and will keep an eye on it, of course.
 
There is another thread about this week's forum user takeovers here if anyone is interested in discussing it.
 
Top Bottom