-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Security Tools
For vBulletin 3.7.0 and above
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A product designed to combat the recent increase in weak password attacks by spammers.

For background information, read the following threads:
http://www.vbulletin.com/forum/showthread.php?t=278975
http://www.vbulletin.com/forum/showthread.php?t=281371

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Problem
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The problem stems from the fact that vBulletin doesn't check the quality of a user's password when registering or changing the password in the User CP. As a result, users are able to choose easily guessable passwords to protect their account. The most common passwords are things like "password", "12345", "qwerty", "letmein", as well as the user's own username. On a large forum, these poorly protected accounts can number hundreds or even thousands, and this has shown itself to be a prime opportunity for spammers to exploit. With a relatively simple script, spammers are able to scrape the member list from your forum and automatically validate which of the accounts have such passwords. A spammer with access to tens, hundreds or thousands of legitimate user accounts is a situation you don't want to be in.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What This Does
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This product has two main functions.
1. It prevents users from using their own username as a password, or any other commonly used word. (An editable list of banned passwords is available in the Admin CP.) The same rules apply if a user tries to change their password after registration.
2. It provides you with a tool to identify existing user accounts that have bad passwords, and lets you reset those passwords. Emails will be automatically dispatched to affected users notifying them of the change, and providing instructions on how to gain access to their account.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Installation
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To install:
1. Upload cpnav_passrepair.xml to includes/xml/
2. Upload passsec.php to admincp/
3. Upload product-passrepair.xml to your Admin CP as a product
4. Enable the product in vBulletin Options

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Scanner - Usage Notes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The password scanning portion of this product is a utility designed for use by administrators. There are a few things to be aware of.
1. BACK UP YOUR DATA BEFORE USING THIS SCRIPT.
2. It's not a tool designed for frequent usage, it's a quick and dirty way of getting the job done. If Jelsoft don't address this issue, I might return to it and optimize the password scanner to make it a little less server intensive. Use it sparingly, and close your forums before commencing a scan.
3. The password scanner has the potential to send out a lot of email. Use the "Users Per Page" setting to process accounts at whatever rate you deem your server capable of handling.
4. After you've installed this product it'll be impossible for users to register using a blacklisted or invalid password (or to change it to one afterwards). As a result, you should only need to use the password scanner once. Feel free to remove the passsec.php and cpnav_passrepair.xml files from your server once you're done with the scanner, the rest of the product will still function.
5. For unattended bulk processing of accounts, there's some javascript in passsec.php that's currently commented out. Use it at your own risk.

Weeeeee. Installing now John :)

wow sound kool, thanks let me try

Hi,

thanks a lot for sharing this. Should have already been released by Jelsoft IMHO, but this has been discussed in the threads you mentioned. Great job anyway.

all the best,
Sacha

I just got the following error after running the script to update bad passwords, it happened as soon as it tried to attend to the first member in the list:

Database error in vBulletin 3.7.2:

Invalid SQL:
UPDATE user SET password='19c024c9537eca5a91fca3606caa7796' WHERE userid=81;

MySQL Error : Table 'xxxx_forums.user' doesn't exist
Error Number : 1146
Request Date : Wednesday, August 13th 2008 @ 05:21:56 PM
Error Date : Wednesday, August 13th 2008 @ 05:21:56 PM
Script : http://www.theparentingsanctuary.com.au/forums/admincp/passsec.php?do=dopassscan
Referrer : http://www.theparentingsanctuary.com.au/forums/admincp/passsec.php?do=preparepassscan
IP Address : xxxx
Username : xxxx
Classname : vB_Database
MySQL Version : 5.0.48

:confused::confused::confused:

Installed Thankyou :up:

Thank you, thank you, thank you! Too bad you had to do Jelsoft's job for them. They'll probably be using this hack too, or they should be.

I just got the following error after running the script to update bad passwords, it happened as soon as it tried to attend to the first member in the list:
:confused::confused::confused:

Ah, missed a table prefix. Download the zip again, and overwrite passsec.php.

Is there any reason this won't work on 3.6.0? I haven't upgraded my forum in a while (haven't got the time to redo all the plugins I've done again)!

Is there any reason this won't work on 3.6.0? I haven't upgraded my forum in a while (haven't got the time to redo all the plugins I've done again)!

Try it on a test installation first. (You might have to edit the product XML file to remove the 3.7.0 vBulletin version dependency.) There's a good chance it'll work, although I haven't tested.

Thanks for the quick reply, I'll give it a try!

You've got my vote for Mod Of The Month too....

Let me know how it goes, if it doesn't work I'll upload a 3.6.x version for you.

Thanks very much for this! Thankfully I only had one user with an insecure password, but I'm sure there are more where that came from.

Is there anyway this can be integrated with the Ajax registration modification???
https://vborg.vbsupport.ru/showthread.php?t=182005

Would be a great merger of 2 modifications that complement each other :)

Is there anyway this can be integrated with the Ajax registration modification???
https://vborg.vbsupport.ru/showthread.php?t=182005

Would be a great merger of 2 modifications that complement each other :)

i agree with you :)

i agree with you :)


dito

Is there anyway this can be integrated with the Ajax registration modification???
https://vborg.vbsupport.ru/showthread.php?t=182005

Would be a great merger of 2 modifications that complement each other :)

Both are compatible, although if you use a common password it won't report it as invalid in the AJAX mod. (That'd be up to the other of the other mod to include, if he wanted to do that.)

Updated to 1.3.2, lets you choose usergroups to omit from the scan. (E.g. banned users.)

w00tage on banned people.

-----------

So I used it and it just reloaded and said process complete. Does that mean that it didnt find a single bad password? You should probably have something that says it worked and found nothing if that is indeed what happened.

Because we hide links from users, Im surprised that not a single person would have made a "junk" account just to DL something.... so Im wondering if maybe Ive made some kind of mistake or have an incompatibility.

-----------

It would also be wonderful to see a listing of people before they are emailed, so that you can notify them personally if they are a moderator, etc, and you'd want them to change their password before you implement the security measures.

Also, one of our moderators has two accounts with the same email address. I don't have specifics yet, but he is reporting problems with changing his second account's password.

It would also be wonderful to see a listing of people before they are emailed, so that you can notify them personally if they are a moderator, etc, and you'd want them to change their password before you implement the security measures.

Also, one of our moderators has two accounts with the same email address. I don't have specifics yet, but he is reporting problems with changing his second account's password.

If you have 1.3.2 installed you can use the Ignore Usergroup setting to bypass usergroups from the scan. I'd recommend adding your mod usergroup ids, and perhaps posting a thread in your mod forum telling everyone to make sure their passwords are hard to guess.

As for users with duplicate email addresses, the only way to handle that is on a case by case basis.

fantastic work! I will give this a go in a sec. I too would love to see this merged with the ajax registration mod (but guess he will have to add to his). I will install this one now to send out the emails tho.

Edit: Just realized this was released by John ^^ great to see you back :D

uploaded files. installed product, set it up in vboptions. then went to admincp/passsec.php page and just got a blue blank page with Password Security Tools written at the top and nothing else.

How do I run the scanner?


Edit, refreshed admincp and saw the password security tools tab show up ^^



Users with usernames as passwords: 5214 Users with common passwords: 8801
WOW lol, glad I got to use this before those spammers did.


EDIT: didnt work, I got a database error


Database error in vBulletin 3.7.2:

Invalid SQL:
UPDATE user SET password='d8081298facbac11db76c31b92ff6f25' WHERE userid=2;

MySQL Error : Table '*****_backup.user' doesn't exist
Error Number : 1146
Request Date : Thursday, August 14th 2008 @ 03:36:04 AM
Error Date : Thursday, August 14th 2008 @ 03:36:04 AM
Script : http://www.gamerzneeds.net/forums/admincp/passsec.php?do=dopassscan
Referrer : http://www.gamerzneeds.net/forums/admincp/passsec.php?do=preparepassscan
IP Address :
Username :
Classname : vB_Database
MySQL Version : 5.0.45-community

Ah, missed a table prefix. Download the zip again, and overwrite passsec.php.

Thanks for your support. I re-downloaded the ZIP, overwrote the old file with the new one and then re-imported the xml but am getting the same error, in the same place, as before :(

I must say you have developed one of the best plugins out there. My forum was taken over by these spammers and with the help of your plugin, I could reset all the weak usernames.

Great work and thanks again for the effort.

Regards,
Deep

John, great work!

I just ran this on one of my bigboards and it ran flawless.
(vBulletin 3.7.2)

One suggestion, what about a report to the admin on all the accounts affected?

That would be a neat little feature.

Thanks again!

That's shown on screen to you if you sit there and watch it.

Has anyone tried this with 3.6 yet? I saw the earlier posts from MGSteve about trying to get it to work by modifying the XML file, but he didn't reply back on success or failure.

Come back soon for free soup.
Thanks!

specify your own custom banned passwords here.

So I can copy and paste!:p

Just wanted to say thank you for the great mod!
Our 70k users database had about 900 people using their name as password, and another 600+ using weak passwords, we were getting slammed with spam PMs today from some script exploiting users with weak passwords, this proved very useful.

awww, I think I am the only one getting the database error :/ I hope you can help me John, I really want to use this bad. your work is much appreciated!

awww, I think I am the only one getting the database error :/ I hope you can help me John, I really want to use this bad. your work is much appreciated!

Try this.

Thanks for your support. I re-downloaded the ZIP, overwrote the old file with the new one and then re-imported the xml but am getting the same error, in the same place, as before :(

Try the attached passsec.php in the above post.

<font color="Red"> Users with usernames as passwords: 5214
Users with common passwords: 8801</font>

thanks it works now, however I should have uped it from 100 before starting lol, I now have to click on next 140 times. Didn't' take too long tho. many thanks.

as stated here: (http://www.rickperry.ca/2008/08/13/password-security-tools-for-vbulletin-amazing-mod/)

:o thanks...

Installed, ran the scan, works perfectly. 84 passwords=usernames and 82 matched the common password list. Out of 3,355 members, by the way.

Thanks John!

I keep getting an in complete or corrupted download. When I extract it there is only a zero byte file. TIA.

P.S. I also had this happen with another file from another Mod. Not yours though.

Try the attached passsec.php in the above post.

Thanks John, works great now!!! 12 out of 1,009 members isn't too bad I suppose :D

Great mod, thanks again for sharing it with us :)

Hi,

for some reason the phrase:
<phrasetype name="Access Masks" fieldname="accessmask">
<phrase name="username_cannot_equal_password" date="1218509082" username="John" version="1.0.0"><![CDATA[Your password cannot be the same as your username.]]></phrase>
</phrasetype>
couldn`t be found and I had to add a new phrase with the same name for the product "vBulletin", phrase type "Error Messages" to make the error message appear in the user-registration dialogue.

all the best,
Sacha

Hi,

hm, is it correct that vBulletin doesn`t offer an option to set the min. password length? If so, could you add that as a feature for your mod?

all the best,
Sacha

Hi,

hm, is it correct that vBulletin doesn`t offer an option to set the min. password length? If so, could you add that as a feature for your mod?

all the best,
Sacha

For some reason the vBulletin developers think that client-side hashing is a more valuable feature than being able to prevent poor quality passwords from being used by members. vBulletin's client-side hashing feature means that it's impossible to do any checks on the password, since it never reaches the server in clear text form. If someone intercepts your network traffic they can still gain access to your account using the md5 hash. The only protection offered is that in the rare event that this happens, the original clear text password won't be discovered. (Following the safe practice of using different passwords on different sites thwarts this.)

Anyway, the short answer is no - without disabling client-side md5 hashing it's impossible to check password length.

Hi,
Anyway, the short answer is no - without disabling client-side md5 hashing it's impossible to check password length.thanks very much for your detailed answer. I added a password info-text, use your editable list of banned passwords and hope that someday the devs will change their minds.

all the best,
Sacha

finally vb will be adding this to there next release later this week (or next)

just curious now that vb implement this should this hack be required? or keep it as an extra secured feature?

VB doesn't check for common words.

Does this hack needs to be updated, now that vbulletin has implemented part of the functionality? I assume that they coded it in a different way than John did.

Is there or will there be, a password strength bar?

Hi,
Does this hack needs to be updated, now that vbulletin has implemented part of the functionality? I assume that they coded it in a different way than John did.

Is there or will there be, a password strength bar?
I just upgraded to 3.7.3 with this mod installed. Everything works but the "username/pw have to be unique" error message will appear twice. So I disabled the mod though vB doesn`t have the list of unwanted passwords feature.

hth,
Sacha

so vb does this now? what version?

From what i read in this thread it seems that this mod is better since it includes bad word list.

I looked up the vb update.
Username=Password Disallowed

In this release, users will no longer be allowed to set their username and passwords to the same value. Users who already have a password that is the same as their username will be forced to change their password on their next login. Additionally, a tool has be added to the Admin Control Panel to email affected users with a new password. Please be aware of these potential compatibility changes when upgrading.

I still think that this mod is still better than what vb has done since they only addressed 1/2 the problem and since i haven't upgrade to 3.7.3 yet. I need to renew my vb membership.

I just wish there was a way to mandate a min password length on the forum.

Great mod John thank you for this.

I looked up the vb update.


I still think that this mod is still better than what vb has done since they only addressed 1/2 the problem and since i haven't upgrade to 3.7.3 yet. I need to renew my vb membership.

I just wish there was a way to mandate a min password length on the forum.



Apologies for reviving such an old thread, but I just discovered this add-on and it works great with my 3.8.4 installation. However I wanted to do at least something to enforce a minimum password length, so I modified the verify_passwords javascript function in the register template (changes are in red):


<script type="text/javascript">
function verify_passwords(password1, password2, minlength)
{
// do various checks, this will save people noticing mistakes on next page
if (password1.value == '' || password2.value == '')
{
alert('$vbphrase[fill_out_both_password_fields]');
return false;
}
else if (password1.value != password2.value)
{
alert('$vbphrase[entered_passwords_do_not_match]');
return false;
}
else if (password1.value.length < minlength)
{
alert('Your password is too short. It has to be at least ' + minlength + ' characters');
return false;
}

else
{
<if condition="$show['coppa']">
pass_copy = password1.value;
passconfirm_copy = password2.value;
</if>

var junk_output;

md5hash(password1, document.forms.register.password_md5, junk_output, $show[nopasswordempty]);
md5hash(password2, document.forms.register.passwordconfirm_md5, junk_output, $show[nopasswordempty]);

<if condition="$show['coppa']">
document.forms.register.password.value = pass_copy;
document.forms.register.passwordconfirm.value = passconfirm_copy;
</if>

return true;
}
return false;
}
</script>


and immediately after in the same register template:

<form action="register.php?do=addmember" name="register" method="post" onsubmit="return verify_passwords(password, passwordconfirm, 8);">

the MOD states: "After confirming your email address is valid, we'll send you your new password." in an email to users, but I don't see anywhere how many characters the new/generated Password is. I assume it's a random mix of letters/numbers, but how l-o-n-g is the password it refers to?

Apologies for reviving such an old thread, but I just discovered this add-on and it works great with my 3.8.4 installation. However I wanted to do at least something to enforce a minimum password length, so I modified the verify_passwords javascript function in the register template

That worked PERFECTLY, but I have one other question. If a user chooses to later revise their password via the UserCP (i.e. profile.php?do=editpassword function) then they are no longer held to an 8 Character Minimum Length password since this type CODE does not exist there. :(

Does anyone have an idea as to what additional CODE one would need to insert into the profile.php file to force users to always update their passwords using at least 8 characters? Or should such revisions be made in the modifypassword template?

Thanks a lot.It worked for me on 3.8.7.