Resource icon

Password Tools 3.9.0

No permission to download
Overview FAQ Updates (24) Reviews (3) History Discussion
I'm running your add-on on top of Xenforo with roughy 50k members. I've set fairly strong password requirements (10 characters mixed) which works great for new users and/or members who wish to change their password. However, it seems like a hacker has been targeting my site and phishing/running a password breaker trying to gain access to weak accounts.

My developer has the ability to log everyone out.

  • Is there a way to force them to select a new password if it doesn't meet the criteria I set in your add-on?
  • Can we force the confirmation via verification of the email on file (without forcing everyone to use 2FA)?

Your assistance is appreciated.
 
Last edited:
thegr8wendt said:
However, it seems like a hacker has been targeting my site and phishing/running a password breaker trying to gain access to weak accounts.
Click to expand...
That might be the common exploit some of us here had earlier in the year. Dormant accounts would suddenly be reused on our forums. Pretty sure these are bots using leaked user/password combinations that are out there on the Internet.

I installed Login Spaminator and it eliminated the problem.
 
Wildcat Media said:
That might be the common exploit some of us here had earlier in the year. Dormant accounts would suddenly be reused on our forums. Pretty sure these are bots using leaked user/password combinations that are out there on the Internet.

I installed Login Spaminator and it eliminated the problem.
Click to expand...
Thank you!

Is there a way to force users to select a new password if it doesn't meet the criteria I set in the password tools add-on?
 
thegr8wendt said:
Thank you!

Is there a way to force users to select a new password if it doesn't meet the criteria I set in the password tools add-on?
Click to expand...
I do not believe it's possible for these add-ons to know passwords when they have been set.

What you could possibly do, is to set a user promotion with User has not visited for at least X days and force a password reset for the an "Inactive" usergroup. I do not know how well this would work as I do not know if the inactive group would work if they do end up becoming active again.

I use DragonByte Security, and that has an option to force passwords upon last visit time.
 
thegr8wendt said:
I'm running your add-on on top of Xenforo with roughy 50k members. I've set fairly strong password requirements (10 characters mixed) which works great for new users and/or members who wish to change their password. However, it seems like a hacker has been targeting my site and phishing/running a password breaker trying to gain access to weak accounts.
Click to expand...
Forced email 2fa on login when it is detected the user has a known compromised password (without 2fa enabled) was actually designed to help with that.

Just be prepared for a bunch of support queries over people who hate the idea they can't reused known broken passwords

thegr8wendt said:
Is there a way to force them to select a new password if it doesn't meet the criteria I set in your add-on?
Click to expand...
Not with this addon
 
Xon updated Password Tools with a new update entry:

3.8.2 - Bugfix & Maintenance update

Thanks to @NamePros for this update.
  • Fix changing user entity while a write is pending in some cases
  • Add "Use rejected password fragments in password meter" option (default disabled).
    Take rejected password fragments into consideration when showing the password strength meter to the user.
    Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling...
Click to expand...

Read the rest of this update entry...
 
Last edited:
I'm guessing some things from this addon have been integrated into XF base since the addon was created, so updating the addon description would be nice. From the main page:

Features
  1. Show password feature, allow users to toggle to see what they have actually entered.
  2. Show users how strong their passwords really are when it comes to crack-attempts
  3. Deliver instant feedback if password and password-confirm match and/or certain requirements are not met
  4. Force users to choose passwords with a minimum strength
  5. Force users to choose passwords with a minimum length
  6. Force users to chooce a password not containing words from a blacklist you define
  7. No cheating: This modification also controls users passwords on server side with Ben Jeavos php-implementation of zxcvbn.
  8. Easy styling through XenForo Style Properties
Click to expand...

1-2. Already exists. This addon doesn't seem to change anything in this regard.
3. There is no "confirm password". I checked /admin.php?options/groups/usersAndRegistration/ to see if it's a default feature to enable and I don't see it.
4. The default strength indicator seems to be different from the "weak, strong, very weak, etc." that this addon uses, but this addon doesn't change the display of that?
5. Not ideal that minimum length only becomes known once you try to submit your registration.
7. ?? I'm guessing that's the "enforce complexity for admins" option, but clarification would be nice.

It would be nice to present this image https://xkcd.com/936/ to users when they're registering so they know what to do/not to do.
 
You must log in or register to reply here.

Similar threads

N
Password Tools - FRENCH translation
Replies
2
Views
472
Ozzy47
Ozzy47
Jeffin
Password manager not able to login
Replies
0
Views
438
Jeffin
Jeffin
Ozzy47
[OzzModz] Prevent Password Change & Reset
Replies
0
Views
427
Ozzy47
Ozzy47
Q
  • Question Question
Migration from Vbulletin to Xenforo and User Password
Replies
1
Views
631
Kirby
K
S
Not a bug After user changed password user is prompted to change password again
Replies
2
Views
532
stb-squad
S
Top Bottom