newimage submitted a new resource:
Password Tools 3.2.2 - Password
Read more about this resource...
Password Tools 3.2.2 - Password
Read more about this resource...
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
- Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
- Add "On login; alert the user if they have a known compromised password" option (default enabled)
- Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)
Thanks to @NamePros for sponsoring this update.
- Update compromised password alert text to be less awkward
- On updating passwords, remove any compromised password alerts to avoid user confusion
- Add "Force email two factor authentication on compromised password" option (default disabled)
- Add "Pwned password minimum count (soft)" option.
This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates...
- Reduce queries when triggering forced email 2fa
- Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used
- Dramatically reduce redistributable size by trimming unneeded files
- php 8.1 compatibility fix
- Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.
- Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+
- Switch back to upstream bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.
- More 32bit php fixes, Thanks to @NamePros
- Require XenForo 2.2+, drop XF2.1 support
- Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
- Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
- Update new install option defaults to more recommend values:
- Enforce password complexity for admins
- Enable "Length check...
- Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.
- Fix password checks could incorrectly apply when resetting a user's password
- Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
- Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
- Rename various options to be better searchable
- Adjust various option defaults to be more robust.
- 'Minimum password length' from 8 => 10 characters
- 'Minimum password strength' from 'very weak' to 'weak'
- 'Pwned password...
- Require StandardLib v1.18.0+
- Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
Defaults to disabled. Useful for targeting with notices
- Fix changing user entity while a write is pending in some cases
- Add "Use rejected password fragments in password meter" option (default disabled).
Take rejected password fragments into consideration when showing the password strength meter to the user.
Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.
- Add "Force password reset on compromised password" option
- This option is likely overkill for most sites, and is not generally recommended