Fix changing user entity while a write is pending in some cases
Add "Use rejected password fragments in password meter" option (default disabled).
Take rejected password fragments into consideration when showing the password strength meter to the user. Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.
Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
Defaults to disabled. Useful for targeting with notices
Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
Update new install option defaults to more recommend values:
Enforce password complexity for admins
Enable "Length check by default, and set the "Minimum length" to 8
Enable "Pwned password password validation" by default
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.