What is it?
----------------------------
This mod adds a check for password strength at registration and when a user changes their password. You can specify the minimum length and number of upper case, digits, and other characters you want to require (see screen grab 3), or you can choose a minimum score to allow (based on length and types of characters included, see screen grab 4).

Installation:
----------------------------
1) Upload the files in the upload directory to the appropriate locations.

2) In the Product Manager in AdminCP, import the product XML file (product-kh99_passwords.xml).

3) In the admincp, go to "[kh99] Password Policy Options" and select the options you want.

Uninstalling:
----------------------------
1) Uninstall the product from the Product Manager in the AdminCP.

2) Remove the uploaded files.

Notes:
----------------------------
1) Tested on vb3.8.8. I also test a bit on vb3.8.2 (mostly for php version compatibility) and it seems to work.

History:
----------------------------
0.9.0 (October 14, 2013) - Initial Release

Awesome addition! Thank you for sharing and caring about vb 3.8 series!

Reserved.

How does this jell with registration timers and the like? How does it work for folks who run with javascript disabled on their browsers?

Reserved.

How does this jell with registration timers and the like? How does it work for folks who run with javascript disabled on their browsers?


Well, it's somewhat embarrassing, but I haven't tested it with any of the registration timer mods, so I'm not sure. I labeled it "beta", so I was kind of hoping people would try it out and report any problems. Maybe I'll try it if i get a chance (I'm working on the vb4 version right now).

As for people with no javascript, it will check on the server regardless of whether it's been checked by JS (unless you turn off that feature, which is an option although I don't really know why anyone would want to turn it off).

Well, it's somewhat embarrassing, but I haven't tested it with any of the registration timer mods, so I'm not sure. I labeled it "beta", so I was kind of hoping people would try it out and report any problems. Maybe I'll try it if i get a chance (I'm working on the vb4 version right now).

It might be actually a help for the timer checks, making people take longer to get the password right. This is if there's no conflict otherwise.As for people with no javascript, it will check on the server regardless of whether it's been checked by JS (unless you turn off that feature, which is an option although I don't really know why anyone would want to turn it off).Right but, how will the person with j/s disabled know if his/her password passes this check?

Right but, how will the person with j/s disabled know if his/her password passes this check?

He or she won't know until the form is submitted, then it will appear as an error (just like the existing "password fields don't match" error). On registration, it reloads the registration page and displays any errors, and on password change it tells you to press the "back" button and try again (those are the normal behaviors, I've just added additional error messages).

Any chance this plugin has been made compatible with 4.2.2 and just not uploaded? XML shows only 4.0.0 and it throws lots of errors when I override to have it try loading in 4.2.2.

Samples:
Warning: fetch_template() calls should be replaced by the vB_Template class. Template name: kh99_password_rule in ..../includes/functions.php on line 4591
Parse error: syntax error, unexpected 'kh99_password_phrase_' (T_STRING) in path/includes/class_bootstrap.php(430) : eval()'d code(72) : eval()'d code on line 1
Warning: fetch_template() calls should be replaced by the vB_Template class. Template name: kh99_password_rule in ..../includes/functions.php on line 4591
Parse error: syntax error, unexpected 'kh99_password_phrase_' (T_STRING) in path/includes/class_bootstrap.php(430) : eval()'d code(72) : eval()'d code on line 1
Warning: fetch_template() calls should be replaced by the vB_Template class. Template name: kh99_password_rule in ..../includes/functions.php on line 4591
Parse error: syntax error, unexpected 'kh99_password_phrase_' (T_STRING) in path/includes/class_bootstrap.php(430) : eval()'d code(72) : eval()'d code on line 1
Warning: fetch_template() calls should be replaced by the vB_Template class. Template name: kh99_password_rule in ..../includes/functions.php on line 4591
Parse error: syntax error, unexpected 'kh99_password_phrase_' (T_STRING) in path/includes/class_bootstrap.php(430) : eval()'d code(72) : eval()'d code on line 1
Warning: fetch_template() calls should be replaced by the vB_Template class. Template name: kh99_password_policy in ..../includes/functions.php on line 4591

It will not work with vb4. The 4.0.0 in the xml is the first verson which is not compatible (that is, the version you have has to be less than the higher version). I was working on the vb4 version and got distracted, but since you're interested I'll try to finish it soon.

Awesome news. I was starting to look at how to upgrade plugins between the versions. Not so much my wheelhouse. Appreciate the update!

Would like to see this for 4.2.2 myself

Hello,

Thank you very much for your nice add-on,

But I have a question if you mind... I noticed that this plugin inserts needed scripts in headinclude which are not really needed in all pages of the forum but register page.

Is there any way to modify this add-on that make it to load the JS files at the Registeration page only ? (manually -or- automatically)

and I have a suggestion regarding HTML validation ,

I noticed that you inserted the "<script>" lines like this :
<script src="{$stylevar['yuipath']}/element/element-min.js" ></script>

which are not valid based on XHTML checks, it would be great if you edit theem and add "type Attribute" to them :
<script "text/javascript" src="{$stylevar['yuipath']}/element/element-min.js" ></script>

Again thank you for supporting vB3.x

Thanks for the feedback, I will try to make those changes.

yikes, Need this one for 4.2.2 is so important :/

yikes, Need this one for 4.2.2 is so important :/

Yeah, I started the changes for vb4 long ago but never finished. Maybe I'll do that soon.

hi kh99,
thank you for this great add-on, im wating for VB4. tnx.

hi kh99,
thank you for this great add-on, im wating for VB4. tnx.

I'm actually working on it right now, but the vb4 registration process is a little different so it's taking some time to work out the bugs.

I'm actually working on it right now, but the vb4 registration process is a little different so it's taking some time to work out the bugs.
waiting for 4.2.2

good work...
thanks...

Oops, another one of the things I never finished. :( I actually thought about that when I saw this mod: https://vborg.vbsupport.ru/showthread.php?t=316017 and I thought maybe I should get it done, but I kind of hated to release it right after someone else wrote one.

Maybe I'll look at it this weekend.

I forgot about this one as well... going to install it on my other 3.8 site now, Thank you.

Its not showing up on /profile.php?do=editpassword
What do I need to add to the template?

ReCaptcha is no longer showing up on registration now that this is added.

Its not showing up on /profile.php?do=editpassword
What do I need to add to the template?

ReCaptcha is no longer showing up on registration now that this is added.

Hmm...I'm not sure what's going on there. If it's affecting the recaptcha, then it might be a javascript problem. You could check the browser error console to see. Unfortunately I don't have time right now to support these mods.

I understand. Thanks for making this addon.
However, vbulletin is getting too outdated and insecure for me. I am seeing hack attacks left and right and my big board has recently seen a massive attack using IPv6 vulnerability. I need to get off vbulletin ASAP.

IPv6 vulnerability? Are we talking about DDoS attacks here?
vBulletin can't be blamed for DDoS attacks or a IPv6 vulnerability, unless it actually abuses a vBulletin vulnerability.

See here: https://theadminzone.com/threads/vbulletin-vulnerability-allows-hackers-to-find-and-brute-force-accounts.136907/

See here: https://theadminzone.com/threads/vbulletin-vulnerability-allows-hackers-to-find-and-brute-force-accounts.136907/

I didn't read that entire thread because I have no interest in the bickering. I also don't know a lot about ipv6, but it seems to me if I were running vbulletin on a server that was reachable via ipv6, I'd configure the web server to listen only to the ipv4 address, then remove any ipv6 DNS records from my domain name. It seems like that would avoid the issue until ipv4 doesn't work any more. But maybe there's some reason I don't understand for not doing that.

I don't know what happened, but, early on in my installation of VBulletin and various products, I installed your Password Strength Check mod .... after some 6 months of work, all of a sudden the 180 day password expiration message popped up ... I went, 'ugh', and figured OK I'll just change the password, or if I don't want this message popping up, I'll just disable the product so I can log in again ...

Since at that moment I still had a current cookie-supported AdminCP login, I tried a few things : Apparently just disabling the product from within its own AdminCP controls did not work, so I tried disabling it from Products Manager ... that didn't work either so I tried to uninstall the product from Products Manager, then removing all the files that were installed ... : that didn't work either!

I finally thought, OK, so somehow this product had 'seen' that my password was 180 days old so it set something into some database file making it so I had to change my password ... so I'll try setting Windows back 14 days so I can fool this product into thinking it's not 180 days yet, then log into the AdminCP, uninstall this product, then change the clock back, and log in again (I also rebooted the computer etc. before trying to log in again) ... even after uninstall and removal of all the product files, as you direct to do in your UNINSTALL instructions, I still cannot log in, getting that "your password is 18x days old" message ... when I click on the link to reset the password, the link will say it's sent my password, but for whatever reason the built-in email function in Vbulletin isn't working ... I even set up HMail server but that doesn't seem to be sending me the mail either... cannot log into the site let alone the AdminCP so without setting the clock back again and trying another login I will not be able to ever get back into the AdminCP ... HOW DO I ***REALLY*** UNINSTALL THIS PRODUCT? If it causes this kind of damage potentially, it should be QUARANTINED ...

I should also mention that I have tried disabling all hooks in /includes/config.php and also had "undeletable users" set for my Administrator account (how then can it have changed my 'old' password then? I thought that config.php rules 'RULED' over all other settings!!!))) ... whenever I would try to paste in my 'old' password (which is definitely correct!) to change the password, I'd get a message saying I had not typed my *current* password in correctly! I have also tried removing all related cookies, restarting Firefox, again, no go. Tried of course, restoring older versions of the database (after installation of this mod but before the 180 days had passed), resetting the clock backwards, then forwards, still no go. Tried logging in using tools.php ... this seemed to work once, then would not work again ... still can't get in. I finally tried resetting the clock to present time, then tried tools.php Admin restore, then tried going to the password modification page this mod presents ... I removed whatever was in the 'old password' field, put in my newer password after having changed it in AdminCP at some point ... no go. Tried putting in the OLD password, and for some reason (still unknown to me), I was able to change the password ... then tried logging out, then in again as Administrator and was able to log into AdminCP ... right at the moment things look pretty normal again ... but : (soap opera music plays) 1. Will I be able to uninstall this thing successfully? 2. Will I get locked out again in about 6 months? 3. Will I be able to get back in again? 4. Will this happen to my other users? 5. Will this mod ever be fixed and updated?

Hey, I can understand if someone does not have the time to support a mod they have created, but when that mod has the capability of LOCKING OUT THE ADMIN, that no-support policy should be changed for that mod, at least until it's fixed.

VIP

First, I'm sorry that you're having problems. The fact is that while I won't rule out ever making ny changes or releasing fixes, at this point you'd have to consider all my mods as unsupported. And you're right, if one of them has an issue it should be quarantined, although I think that may only done for security issues and not for bugs.

That said, if I understand you correctly you seem to believe that the "Your password is 180 days old" screen is displayed by my mod, but it's not, that's a feature of vbulletin. It can be turned off by a setting somewhere I believe, but I have no way of finding which one right now. Maybe I'mm not understanding what you're saying, because I don't really understand why you didn't just change your password.