XenForo Password Tools 3.12.2 3.12.2

[Xenforo]

This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and numbers, but on how easy they are to crack in reality.

To increase the safety of your users account, you can force them to use passwords of a minimum length, minimum strength and even force them to exclude certain words from their passwords (like your site name, the topic your site refers to, etc.).

But the other side of the equation, is no matter how secure the password is, if it has been compromised not password strength estimator will help make it better. As such NIST has the following guidance: check passwords against those obtained from previous data breaches. Pwned Password integration does that.

zxcvbn Readme said:
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes and weighs 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Consider using zxcvbn as an algorithmic alternative to password policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

Features

• Show password feature, allow users to toggle to see what they have actually entered.
• Show users how strong their passwords really are when it comes to crack-attempts
• Deliver instant feedback if password and password-confirm match and/or certain requirements are not met
• Force users to choose passwords with a minimum strength
• Force users to choose passwords with a minimum length
• Force users to chooce a password not containing words from a blacklist you define
• No cheating: This modification also controls users passwords on server side with Ben Jeavos php-implementation of zxcvbn.
• Easy styling through XenForo Style Properties

Options :

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

Thanks to @NamePros for sponsoring this update.

• Update compromised password alert text to be less awkward
• On updating passwords, remove any compromised password alerts to avoid user confusion
• Add "Force email two factor authentication on compromised password" option (default disabled)
• Add "Pwned password minimum count (soft)" option.
  This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates...

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Reduce queries when triggering forced email 2fa
• Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Dramatically reduce redistributable size by trimming unneeded files
• php 8.1 compatibility fix

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.
• Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Switch back to upstream bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.
• More 32bit php fixes, Thanks to @NamePros

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Switch back to upstream bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.
• More 32bit php fixes, Thanks to @NamePros

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Require XenForo 2.2+, drop XF2.1 support
• Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
• Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
  • Update new install option defaults to more recommend values:
  • Enforce password complexity for admins
  • Enable "Length check...

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.

You need to be registered to see the hidden links

 

[Xenforo]

Xenforo updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
• Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
• Rename various options to be better searchable
• Adjust various option defaults to be more robust.
  • 'Minimum password length' from 8 => 10 characters
  • 'Minimum password strength' from 'very weak' to 'weak'
  • 'Pwned password...

You need to be registered to see the hidden links

 

[Xenforo]

updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Fix changing user entity while a write is pending in some cases
• Add "Use rejected password fragments in password meter" option (default disabled).
  Take rejected password fragments into consideration when showing the password strength meter to the user.
  Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.

You need to be registered to see the hidden links

 

[Xenforo]

updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Add "Force password reset on compromised password" option
  • This option is likely overkill for most sites, and is not generally recommended

You need to be registered to see the hidden links

 

[Xenforo]

updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Require standardLib v1.20.0+
• Restore XF2.1 support, note front-end Zxcvbn requires XF2.2+
• Support XF2.3+
• php 8.4+ compatibility

You need to be registered to see the hidden links

 

[Xenforo]

updated

You need to be registered to see the hidden links

with a new update entry:

You need to be registered to see the hidden links

• Fix javascript error when using XF2.3

You need to be registered to see the hidden links

 

[Xenforo]

New update

You need to be registered to see the hidden links

:

You need to be registered to see the hidden links

• php 8.4+ compatibility fixes
• Rename option "Password check types" to "New password validation rules"
• Add "On login; consider known-bad passwords as compromised" option (default false)
• Add new password validation rule "Prevent passwords which contain the user's email or username, and the site's domain/name." (default false)

You need to be registered to see the hidden links

 

[Xenforo]

New update

You need to be registered to see the hidden links

:

You need to be registered to see the hidden links

• Fix server error when a password is very long
• Add "Force two-step verification" permission
  • If enabled for a user, prevents email 2fa from being disabled
• For new installs add a "User has compromised password" user-group, and update the "User-group for compromised passwords" option to use it
• Align defaults with NIST Password Guidelines for 2024
  • Update "New password validation rules" defaults. "Prevent passwords which contain the user's email or...

You need to be registered to see the hidden links

 

[Xenforo]

New update

You need to be registered to see the hidden links

:

You need to be registered to see the hidden links

• Fix internal server error when registering an account without an email address (requires 3rd party addon to trigger)

You need to be registered to see the hidden links