xF2 Add-on Password Tools 3.11.1

• php 8.4+ compatibility fixes
• Rename option "Password check types" to "New password validation rules"
• Add "On login; consider known-bad passwords as compromised" option (default false)
• Add new password validation rule "Prevent passwords which contain the user's email or username, and the site's domain/name." (default false)

• Fix javascript error when using XF2.3

Click to expand...

• Require standardLib v1.20.0+
• Restore XF2.1 support, note front-end Zxcvbn requires XF2.2+
• Support XF2.3+
• php 8.4+ compatibility

• Add "Force password reset on compromised password" option
  • This option is likely overkill for most sites, and is not generally recommended

• Fix changing user entity while a write is pending in some cases
• Add "Use rejected password fragments in password meter" option (default disabled).
  Take rejected password fragments into consideration when showing the password strength meter to the user.
  Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.

This add-on is now avaliable on atelieraphelion.com

• Require StandardLib v1.18.0+
• Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
  Defaults to disabled. Useful for targeting with notices

• Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
• Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
• Rename various options to be better searchable
• Adjust various option defaults to be more robust.
  • 'Minimum password length' from 8 => 10 characters
  • 'Minimum password strength' from 'very weak' to 'weak'
  • 'Pwned password minimum count (soft)' from 1 to 0
  • 'Pwned password minimum count (hard)' from 2 to 1
  • 'Pwned password cache time' from 7 to 3 days

• Fix password checks could incorrectly apply when resetting a user's password

Click to expand...

• Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.

Click to expand...

• Require XenForo 2.2+, drop XF2.1 support
• Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
• Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
  • Update new install option defaults to more recommend values:
  • Enforce password complexity for admins
  • Enable "Length check by default, and set the "Minimum length" to 8
  • Enable "Pwned password password validation" by default