This hack allows you to set advanced rules for user passwords to increase member account security. You can enable/disable: The password cant be same with username
The password cant be shorter than X characters
The password must include both numbers and letters
The password cant be all consecutive like 111111 or aaaaaa
The password cant be years (eg. birth years) or the character sets you banned like 'qwerty' or '0000'
individually. Advanced password rules apply to new registering members and existing members who change their passwords.

The hack is Admin CP integrated so you can configure its options inside your Admin CP. (See screenshots below) It's compatible with all VB versions I know, feel free to try..

I coded this hack as a part of my "Advanced Board Protection Hack" (not released yet), however it become too complex, so I seperated this and make it an independent hack.

Click INSTALL (https://vborg.vbsupport.ru/misc.php?s=&action=install&threadid=41424) if you install the hack, thx.

Enjoy...

Logician \\=^))

Screenshot:

(Admin CP Settings Page where you configure your password rules)

another great hack by you pal

/me thinks to nominate it a hack of the month

Great work Logician

Brilliant:)

Just a Question : You know that characters like "11111111" cant be used...

How about a password of the format :

LLLnnNNN (LLL are different letters, nn is the same number, NNN are other numbers)

Would the two "nn" numbers be blocked if you are using the Consecutive feature? (i.e. abc11234)

Satan

nice one.

Nice hack!

Great hack, applying to localboard first and testing it to the max to see if it still has an easy of use for the end-user.

@hellsatan:

Would the two "nn" numbers be blocked if you are using the Consecutive feature? (i.e. abc11234)
Nope it's not. Hack only stops (if set to do so) when all chars are same. So password "11111111" is not allowed while "111111110" or "011111111" or "111101111" are permitted..

@xiphoid: please return me your test results and some feedback. I have tested it in 3 different boards and using it in my real board without any problems but I can always use some feedback especially from power-users like yourself, thx :)

@rest: thx for the nice comments.. enjoy..

Logician, really the best hackers!
Good idea!!!
Really hack of month!

pro :)
not sure about hack of the month, but it's still very useful.

Thanks Logican!:)

Satan

Will this hack work with bira's "Send Random Password Instead of Activation Code (v2.0)" hack?

Nice work man, keep it up

Drk

Originally posted by Boofo
Will this hack work with bira's "Send Random Password Instead of Activation Code (v2.0)" hack?
I havent used Bira's hack but if it is not modifying "register.php" or "member.php" (which is very unlikely), yes they would work together without any problems..

It sends users a random password rather than an Activation Code when they register. It does modfiy the member.php in the editprofile section. Not safe to use then, I take it? :)

Originally posted by Logician

I havent used Bira's hack but if it is not modifying "register.php" or "member.php" (which is very unlikely), yes they would work together without any problems..

Originally posted by Boofo
It sends users a random password rather than an Activation Code when they register. It does modfiy the member.php in the editprofile section. Not safe to use then, I take it? :)

I dont think so.. My hack modifies "updatepassword" section of member.php. If Bira hacks does not touch that part (I cant see a reason it will touch it), you can use them together..

Ok, I instaklled it and have a question or two.

Here's the code you said to look for:

4- edit register.php, find:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
if ($password!=$passwordconfirm) {
eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
exit;
}

Here's the code from bira's hack:


// Send Random Password Instead of Activation Code (v2.0)
if ($randpassword=="0" and $password!=$passwordconfirm) {
// Send Random Password Instead of Activation Code (v2.0)

eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
exit;
}

The member.php file had bira's hack in the update password part but it didn't look like it affected your code. I'm not sure though. :)

Also, I have a question about the wording in the Admin CP.

User password cant be same with username?

Does yes mean it CAN't be the same or does no mean that?

Password Complexity
Password can NOT be birthyears or custom ones you set below


Same with this one.

I just want to be 100 percent sure I'm not setting something wrong. :)

Originally posted by Boofo
The member.php file had bira's hack in the update password part but it didn't look like it affected your code. I'm not sure though. :)

It is ok, you can add my code after Bira's code, they wont clash..


Does yes mean it CAN't be the same or does no mean that?
If you set it to YES, password can not be same with username.. So to disable this check set it to NO..

Same applies to "Password Complexity": Yes enables it, while NO disables the check..

I just want to be 100 percent sure I'm not setting something wrong. :)
Sure thing hehe

Thank you, sir! :)

Logician: Can you please make me an uninstall file for the install file you made because I want to cleanly uninstall this hack.

Thanks, :)

Originally posted by globalwin
Logician: Can you please make me an uninstall file for the install file you made because I want to cleanly uninstall this hack.

Thanks, :)
globalwin, it does not harm you if you leave it intact but not use it. So if you disable options in the Admin CP, the hack will be disabled automatically. You can also delete text editing section from member.php and register.php and the hack will again be disabled.

But if you want to delete the hack from your the database section anyway you need to edit 2 tables via PHPmyAdmin or any other SQL tools. (once again: this is not necessary!) You need to edit 2 tables in your database:

1- edit table "settinggroup" and delete the record where title = "Advanced Password Rules". It will be probably the last record in the table..

2- Edit table "setting" and delete 6 records (again probably will be the last 6) with varnames= bbuser_pass_same_name, bbmin_pass_length, bbpassword_alphanum_check, bbpassword_repetitive, bbpassword_complexity and bbp_basic_unallowed

Backup db before taking actions just in case..

you can also open your admin/config.php and add $debug=1; into it.

then go to your acp and you see new options in the navmenu. click on edit settings and then remove the settings for this hack

be sure after doing so to set $debug=0; again

help me!

add hack OK but register new not active

I wonder if this hack can be extended?

1.) Force a Password change every XX Days ( configured via AdminCP )

2.) Force Password change - NOW - meaning on the next login the users have to change their password.

3.) Countdown 3 days before the password must be changed, saying something like " In 3 days you have to change your password - change it now? " " In 2 days, etc. "

4.) DeluxeVersion: store last 10 passwords and do not let user use any of those 10 Passwords.

Can this be done? I think it would be a nice security addon....

Gonna give this a try ...

@kreatiV - 10 last passwords? Some people, like myself, dont have that many passwords, and they may forget new ones they have to make...

Why not the last 3?

Satan

Okay, last 3 is okay as well ;)

What about enforcing the use of non-alphanumeric characters? I don't see an option for that. Could it be added?

Thanks! Great work!

Great work! Logician ".) :lick:

Will this work on version 2.3.0?

This would be PERFECT for my board!

yes it should work on 2.3.0.. :)

OK. I just installed this. Everything is working...

Except the template. When I put a birthdate in as a password, it sends me to the advanced pasword rules template, but there is nothing there. I have checked the templates on both my template sets and they are both populated.

Attached is a screenshot:

I also went back to the instructions and reread them, but I can't see where I missed doing anything. wugh.

Nevermind. I figured it out. Somehow. lol

i would like some advice please. On our vbulletin we use .php3. In the APR_install.php would i need to rename it to APR_install.php3 and all content inside to *.php3. also this piece of code i'm not sure of inside this file. Where does this go konukdefteri.php and do i need to change the extension of that to php3 aswel.

i would like some advice please. On our vbulletin we use .php3. In the APR_install.php would i need to rename it to APR_install.php3 and all content inside to *.php3. also this piece of code i'm not sure of inside this file. Where does this go konukdefteri.php and do i need to change the extension of that to php3 aswel.
1- First change finename to "APR_install.php3"
2- Edit file and change line include("./global.php"); to include("./global.php3");
3- And line $file_name="APR_install.php"; to $file_name="APR_install.php3";

You don't need to make anychanges. konukdefteri.php is an obselete code which does not run anyway. It should work ok after these 3 changes.

cheers, Logician, you da man

Logician,

Good work! Keep those users from complaining about their account being hacked. (hate it when it is a PEBKAC issue).

Just a minor nitpick, it is "DISALLOWED" not "UNALLOWED". Might want to fix that minor error.

As for the template, most of you can probably make your life a little easier by taking the global variables of the hack and put it in as part of your error message template, like:

The password you have entered does not meet the password complexity requirements as set by the system administrator. Please go back and ensure that your password meets the complexity requirements.
<br>
<br>
Your password must be at least $bbmin_pass_length characters long, and can not be repeating letters or numbers, and can not be your username.


By using $bbmin_pass_length in your error message template, the number of characters long will be displayed and change according to what you have set in your admin CP options. So you don't need to go back to edit the template everytime you change the settings.

Logician may also want to adjust a few of those variables, or introduce an "enhanced" hack to allow those variables to be passed as "Yes" or "No" text string, so people can just put in the variables at the template and will automatically change with the settings.

when i eventually get around to putting this hack on what will happen to the current passwords.

when i eventually get around to putting this hack on what will happen to the current passwords.
nothing.. the hack will apply when a new user registers or when a member changes his password.

i can't seem to run the apr_install.php3 file. Is it possible to run it through an FTP program. Maybe someone could explain how to run this in detail. I don't want to sound like a complete newbe

You need to run it because it changes your options page to add hack related options there. You are not able to install the hack without running this file and you can not run via FTP or something.

i've done it, it was just me acting stupid AGAIN :P

Is there an easy way to edit the hack and not allow Vowels.

clicks install
gonna try it out and see

Will this work for 3.0.3?

Either way, thanks for your work Logician!

Will this work for 3.0.3?

Either way, thanks for your work Logician!
Nope sorry, it is coded for vb2. I plan to port it to vb3 but please do not ask when ^^

(sorry to bring up an old thread but it is relavent)

Is this even POSSIBLE for 3.6? Since we no longer have access to the password, we can't really check to see if users are creating silly passwords (same as username, etc). Can anything be done about that? It's a SERIOUS problem with members being able to easily get into other's accounts.

-vissa