Password Security

Description
This Hack allows you to enforce your members to use safe(r) Passwords:

You can define a mimimum length
You can define the how many character classes a Password must use
Does not allow using Username or eMail-Address as Password
Dictionary Check to prevent common passwords
(Not yet fully implemented; Table wordlist must be filled manually, but check is present)


Details
1 Product XML (2 Plugins, 14 Phrases, 2 Settings)
2 Template Edits

History
1.0.0
Initial Version

1.0.1
Fixed problem with multiple Datamanager

1.0.2
Changed code to ignore automatically created weak passwords

first reply... GNI!

request for future: can this hack be modified to be using AJAX for the verif, instead of javascript plain ?!

thanks for this... greatly appreciate!

o0o Very nice!

@nexialys
Nope. That would mean having to transfer plaintext Passwords which is a no-no.

great hack :)

cool, we'll definately need this when we get to 3.5
THANKS for doing this

so in preventing the use of screename as password, which, if any, of these does it prevent?
bulbasnore9
bulba9snore
9bulbasnore
bulbasnoreZ
b.u.l.b.a.s.n.o.r.e.


Also, are there rules for the word list or is the list just matched verbatim (or perhaps case insensitive)?

All we need do with the list is just add a table with the words, yes?

cool, we'll definately need this when we get to 3.5
THANKS for doing this

so in preventing the use of screename as password, which, if any, of these does it prevent?
bulbasnore9
bulba9snore
9bulbasnore
bulbasnoreZ
b.u.l.b.a.s.n.o.r.e.


Also, are there rules for the word list or is the list just matched verbatim (or perhaps case insensitive)?

All we need do with the list is just add a table with the words, yes?

I haven't qutie looked at this in great detail, but adding "dictionary" words... is there a way to mass add them or is it just one at a time?

Currently there is no way to add any at all ;)

@bulbasnore
None, as they are all different from your Username

Awe... :( I was looking forward to being bored and adding to it :(

Great Hack, Well done :)

how will this mod effect someone using password retrival? will it give them a pass not within the critera and then not work?

Doesn't have any effect on password reset, only on passwords the user does chose.

so if they do pass retrival and it doesnt follow the criteria I set, does that mean once they login with the new it will force them to change it?

No. As said, it does not have any effect on system generated passwords.
But that's a good point, I hack to think about it if there is smth, that could be done.

when the product is enabled and you try to use the Update User Titles and Ranks function the following error is made (i removed the actual paths for this post):

Updating user info...
Processing: 1

Fatal error: Cannot redeclare verify_password_secure() (previously declared in /path/to/includes/class_dm_user.php(163) : eval()'d code:3) in /path/to/includes/class_dm_user.php(163) : eval()'d code on line 3

Wrap function verify_password_secure if


Code:
---------------
Code is only visible to licensed users, and only when logged into the forums.
---------------



Will update the ZIP soon.

Never Mind

first reply... GNI!

request for future: can this hack be modified to be using AJAX for the verif, instead of javascript plain ?!

thanks for this... greatly appreciate!

Nice :) Very good

sound good dude

This hack appears to interfere with users ability to reset their password should they forget it. I'll have to disable it for now. :(

Can you give a little more information about how it does interfere?
That would be useful ...

It does indeed interfer with resetting of passwords.

Enter email address to reset password.

Click on link sent to email address to reset password.

Vbulletin comes up with an error:

The Password you have choosen is not considered strong enough. Please make sure that you are using at least 2 different character Classes (Uppercase Characters, Lowercase Characters, Numbers or other Characters).

I see from the link that the password is all numbers and hence will not allow me to reset.

anybody going to sort this?

anybody going to sort this?

up waiting for fixing for that

This is a great mod if the above mentioned problems are fixed (I have not confirmed that they exist, but it seems likely).

Please any update?

Thanks -vissa

It does indeed interfer with resetting of passwords.

Enter email address to reset password.

Click on link sent to email address to reset password.

Vbulletin comes up with an error:

The Password you have choosen is not considered strong enough. Please make sure that you are using at least 2 different character Classes (Uppercase Characters, Lowercase Characters, Numbers or other Characters).

I see from the link that the password is all numbers and hence will not allow me to reset.

fixed by andreas?
seems updated 27 jan

nice one

/me will be installing this soon

Hi Andreas
I installed it. It is useful but I think it need more user-friendly guide. For example, it should show the register a meter of the strength of his password typing. You can see an example of it when you register hotmail.

May you tell me how to add words into word list. Thank you

Anyway this hack is very good to install, I really appreciate.

Thank you, Andreas

thanz bro, this mods's so great :)

I have installed it in VB 3.6.0 and it's working great, thanks.

I would like this for just my mods smods and admins is there anyway to set this for just them and not anyone else?

also is this working for vb 3.6.4?

and has anyone got the word list yet?

Thanks.

It's working for vb 3.6.4

If there's any interest in a TMS-Product, please send me a pm :-)

Hey Andreas,
I am now having a problem with this in 3.6.4.
Initially I set the password to expire in 90 days for all users .
Now 90 days have passed and the password is expired the user cannot change it, they have to contact me to change it for them via admincp.
I have checked this myself and it looks like it locks the user out once the password is expired.
What this needs is to send a password expiry email before the password expires.

I have had to turn it off due to too many people contacting me to change their password.

Hey Andreas,
I am now having a problem with this in 3.6.4.
Initially I set the password to expire in 90 days for all users .
Now 90 days have passed and the password is expired the user cannot change it, they have to contact me to change it for them via admincp.
I have checked this myself and it looks like it locks the user out once the password is expired.
What this needs is to send a password expiry email before the password expires.

I have had to turn it off due to too many people contacting me to change their password.

So is the mod essentially broken with 3.6.4? I really need this and can't believe VB allows such weak passwords. I need to get all my users to change their passwords (expiry) and then want this mod to force them to make decent ones. Will that not work with this mod?

-vissa

Hey Andreas,
I am now having a problem with this in 3.6.4.
Initially I set the password to expire in 90 days for all users .
Now 90 days have passed and the password is expired the user cannot change it, they have to contact me to change it for them via admincp.
I have checked this myself and it looks like it locks the user out once the password is expired.
What this needs is to send a password expiry email before the password expires.

I have had to turn it off due to too many people contacting me to change their password.

Can you detail exactly what happens se we can try to fix this? I want this working on 3.6.4 / 3.6.5 properly. So a user has to change their password. What exactly happens next? Does it work fine if you DON'T use password expiry or is there a problem any time a member tries to change their password?

Thank you
-vissa

Well I finally broke down and installed this on 3.6.5. Seems to work fine. I've tested registrations and users resetting their passwords. Those seem to work well as is. I will be testing "password expiry" shortly and report back.

-vissa

installed on 3.6.8 and works fine
though, it would be nice to port this hack to 3.6.8 and especially ad the password check also to the "change password" site at the forum, not only for new signups

installed on 3.6.8 and works fine
though, it would be nice to port this hack to 3.6.8 and especially ad the password check also to the "change password" site at the forum, not only for new signups

I concur .. or make something like this a feature of vb as a whole.

On 3.7, if a user edit their password (that is shorter than specified) gets an error - "Your password is too short..." then returns to the User CP.

In actual fact the password does change - if you try to re-change it you get an error saying "Password entered doesnt match your current one..." If you try the "too short" password it works...

Any ideas?

This appears to not completely work with current code.

I really could use the "stop users from having same password as their username" as I was just compromised (http://forums.3drealms.com/vb/showthread.php?p=741938#post741938) this morning.

From reading, I get the impression this doesn't work right with 3.72. Am I correct, or am I not right, and it does work? I really could use this mod like NOW, since I'm now a known target for this kind of behaviour.

The following solves the "bug" in combination with vB 3.7.3

In modifypassword find:



Code:
---------------
Code is only visible to licensed users, and only when logged into the forums.
---------------



and replace with



Code:
---------------
Code is only visible to licensed users, and only when logged into the forums.
---------------



/M

How can such a good mod not get updated? Even with that last fix the mod doesn't even appear to check the strength of the passwords.