- Discussions
- 4 647
- Messages
- 12 059
- Solutions
- 81
- J'aime
- 7 615
- Points
- 198
Description :
Source
This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and numbers, but on how easy they are to crack in reality.
To increase the safety of your users account, you can force them to use passwords of a minimum length, minimum strength and even force them to exclude certain words from their passwords (like your site name, the topic your site refers to, etc.).
But the other side of the equation, is no matter how secure the password is, if it has been compromised not password strength estimator will help make it better. As such NIST has the following guidance: check passwords against those obtained from previous data breaches. Pwned Password integration does that.
zxcvbn Readme said :
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes and weighs 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
Consider using zxcvbn as an algorithmic alternative to password policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
Pwned password said :
Password reuse and credential stuffing
Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.
NIST's guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches . The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed.
Click to expand...
Features :
Télécharger V3.2.2 : Version 3.3.0 - XF2.2 compatibility update :
Requires php 7.0+
Now depends on Standard Library by Xon
Supports XF2.2+
Télécharger V3.3.0 : Version 3.4.0 php 8 compatibility update :
Require php 7.2+
Fix php 8 compatibility
Télécharger V3.4.0 : Version 3.5.0 Feature update :
Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
Add "On login; alert the user if they have a known compromised password" option (default enabled)
Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)
Télécharger V3.5.0 : Version 3.6.1 - Feature update :
Thanks to @NamePros for sponsoring this update.
Update compromised password alert text to be less awkward
On updating passwords, remove any compromised password alerts to avoid user confusion
Add "Force email two factor authentication on compromised password" option (default disabled)
Add "Pwned password minimum count (soft)" option.
This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates compromised password alerts
Télécharger V3.6.1 : Version 3.6.2 - Maintenance update :
Reduce queries when triggering forced email 2fa
Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used.
Télécharger V3.6.2 : Version 3.6.3 - php 8.1 compatibility fix :
Dramatically reduce redistributable size by trimming unneeded files
php 8.1 compatibility fix
Télécharger V3.6.3 : Version 3.6.4 - Bugfix update :
Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.
Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+
Télécharger V3.6.4 : Version 3.6.5 - Bugfix update :
Switch back to upstream
More 32bit php fixes, Thanks to NamePros
Télécharger V3.6.5 : Version 3.7.1 - Feature update :
Require XenForo 2.2+, drop XF2.1 support
Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
Update new install option defaults to more recommend values:
Enforce password complexity for admins
Enable "Length check by default, and set the "Minimum length" to 8
Enable "Pwned password password validation" by default
Télécharger V3.7.1 : Version 3.7.3 - Bugfix update : Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.
Télécharger V3.7.3 : Version 3.7.4 - Bugfix update : Fix password checks could incorrectly apply when resetting a user's password
Télécharger V3.7.4 : Version 3.7.5 Bugfix update :
- Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
- Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
- Rename various options to be better searchable
- Adjust various option defaults to be more robust.
- 'Minimum password length' from 8 => 10 characters
- 'Minimum password strength' from 'very weak' to 'weak'
- 'Pwned password minimum count (soft)' from 1 to 0
- 'Pwned password minimum count (hard)' from 2 to 1
- 'Pwned password cache time' from 7 to 3 days
Télécharger V3.7.5 : Version 3.8.0 - Feature update :
This add-on is now avaliable on atelieraphelion.com
- Fix javascript error when using XF2.3
Télécharger V3.10.1 : Version 3.10.2 - Bugfix update :
- Fix javascript error for XF2.2
Télécharger V3.10.2 : Version 3.11.1 - Feature update :
Télécharger V3.12.2 :
Source
This modification mostly follows the principles of Dan Wheelers password strength estimator zxcvbn. It does not weight password strength by their combination of upper/lower letters, special characters and numbers, but on how easy they are to crack in reality.
To increase the safety of your users account, you can force them to use passwords of a minimum length, minimum strength and even force them to exclude certain words from their passwords (like your site name, the topic your site refers to, etc.).
But the other side of the equation, is no matter how secure the password is, if it has been compromised not password strength estimator will help make it better. As such NIST has the following guidance: check passwords against those obtained from previous data breaches. Pwned Password integration does that.
zxcvbn Readme said :
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative entropy calculations, it recognizes and weighs 10k common passwords, common names and surnames according to US census data, popular English words, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
Consider using zxcvbn as an algorithmic alternative to password policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
Pwned password said :
Password reuse and credential stuffing
Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.
NIST's guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches . The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed.
Click to expand...
Features :
- Show password feature, allow users to toggle to see what they have actually entered.
- Show users how strong their passwords really are when it comes to crack-attempts
- Deliver instant feedback if password and password-confirm match and/or certain requirements are not met
- Force users to choose passwords with a minimum strength
- Force users to choose passwords with a minimum length
- Force users to chooce a password not containing words from a blacklist you define
- No cheating: This modification also controls users passwords on server side with Ben Jeavos php-implementation of zxcvbn.
- Easy styling through XenForo Style Properties
Télécharger V3.2.2 : Version 3.3.0 - XF2.2 compatibility update :
Requires php 7.0+
Now depends on Standard Library by Xon
Supports XF2.2+
Télécharger V3.3.0 : Version 3.4.0 php 8 compatibility update :
Require php 7.2+
Fix php 8 compatibility
Télécharger V3.4.0 : Version 3.5.0 Feature update :
Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
Add "On login; alert the user if they have a known compromised password" option (default enabled)
Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)
Télécharger V3.5.0 : Version 3.6.1 - Feature update :
Thanks to @NamePros for sponsoring this update.
Update compromised password alert text to be less awkward
On updating passwords, remove any compromised password alerts to avoid user confusion
Add "Force email two factor authentication on compromised password" option (default disabled)
Add "Pwned password minimum count (soft)" option.
This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates compromised password alerts
Télécharger V3.6.1 : Version 3.6.2 - Maintenance update :
Reduce queries when triggering forced email 2fa
Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used.
Télécharger V3.6.2 : Version 3.6.3 - php 8.1 compatibility fix :
Dramatically reduce redistributable size by trimming unneeded files
php 8.1 compatibility fix
Télécharger V3.6.3 : Version 3.6.4 - Bugfix update :
Fix edge case where 32bit php would incorrectly report a very strong password was weak due to bad float to integer truncation.
Recommend ext-gmp (aka php-gmp) for optimized binomial calculations, which requires php 7.3+
Télécharger V3.6.4 : Version 3.6.5 - Bugfix update :
Switch back to upstream
bjeavons/zxcvbn-php library as it should be fully php 8.1 compatible.More 32bit php fixes, Thanks to NamePros
Télécharger V3.6.5 : Version 3.7.1 - Feature update :
Require XenForo 2.2+, drop XF2.1 support
Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
Update new install option defaults to more recommend values:
Enforce password complexity for admins
Enable "Length check by default, and set the "Minimum length" to 8
Enable "Pwned password password validation" by default
Télécharger V3.7.1 : Version 3.7.3 - Bugfix update : Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.
Télécharger V3.7.3 : Version 3.7.4 - Bugfix update : Fix password checks could incorrectly apply when resetting a user's password
Télécharger V3.7.4 : Version 3.7.5 Bugfix update :
- Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
- Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
- Rename various options to be better searchable
- Adjust various option defaults to be more robust.
- 'Minimum password length' from 8 => 10 characters
- 'Minimum password strength' from 'very weak' to 'weak'
- 'Pwned password minimum count (soft)' from 1 to 0
- 'Pwned password minimum count (hard)' from 2 to 1
- 'Pwned password cache time' from 7 to 3 days
Télécharger V3.7.5 : Version 3.8.0 - Feature update :
This add-on is now avaliable on atelieraphelion.com
- Require StandardLib v1.18.0+
- Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
Defaults to disabled. Useful for targeting with notices
- Fix changing user entity while a write is pending in some cases
- Add "Use rejected password fragments in password meter" option (default disabled).
Take rejected password fragments into consideration when showing the password strength meter to the user.
Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.
- Add "Force password reset on compromised password" option
- This option is likely overkill for most sites, and is not generally recommended
- Require standardLib v1.20.0+
- Restore XF2.1 support, note front-end Zxcvbn requires XF2.2+
- Support XF2.3+
- php 8.4+ compatibility
- Fix javascript error when using XF2.3
Télécharger V3.10.1 : Version 3.10.2 - Bugfix update :
- Fix javascript error for XF2.2
Télécharger V3.10.2 : Version 3.11.1 - Feature update :
- php 8.4+ compatibility fixes
- Rename option "Password check types" to "New password validation rules"
- Add "On login; consider known-bad passwords as compromised" option (default false)
- Add new password validation rule "Prevent passwords which contain the user's email or username, and the site's domain/name." (default false)
- Fix server error when a password is very long
- Add "Force two-step verification" permission
- If enabled for a user, prevents email 2fa from being disabled
- For new installs add a "User has compromised password" user-group, and update the "User-group for compromised passwords" option to use it
- Align defaults with NIST Password Guidelines for 2024
- Update "New password validation rules" defaults. "Prevent passwords which contain the user's email or username, and the site's domain/name" defaults to true
- Update "Minimum password length" default to 15
Télécharger V3.12.2 :
![[AKL] File Manager 1.0.0](https://www.societyfrenchmodding.net/data/attachments/10/10423-33d8a43b9943985d64ba2456d06655f8.jpg){kind=small}
![[cXF] Light and dark mode switch 1.1.2](https://www.societyfrenchmodding.net/data/attachments/2/2377-fc6d17b485c1bb784bc5dd7bb259fa94.jpg){kind=small}
Dernière édition par un modérateur:
![[OzzModz] Prevent Password Change & Reset 2.0.0](https://www.societyfrenchmodding.net/data/attachments/6/6604-a4766264fe96a354a5cef9bbde563b4c.jpg){kind=small}
![[MMO] Change Password Permission 2.3.0](https://www.societyfrenchmodding.net/data/attachments/3/3014-c7c5134d0facc79b57ef47aa974923d1.jpg?hash=x8UTTQ-sx5){kind=small}
![[GT] Password Strength Reskin 1.0.0](https://www.societyfrenchmodding.net/data/attachments/1/1628-1d583df2ba6d359809a86859b7d381f9.jpg){kind=small}
![[MMO] Disable Lost Password 2.3.0](https://www.societyfrenchmodding.net/data/attachments/3/3273-f38ce92b0678d858eda05c6fb41055be.jpg){kind=small}