View Full Version : Password Security
Andreas
09-14-2005, 10:00 PM
Password Security
Description
This Hack allows you to enforce your members to use safe(r) Passwords:
You can define a mimimum length
You can define the how many character classes a Password must use
Does not allow using Username or eMail-Address as Password
Dictionary Check to prevent common passwords
(Not yet fully implemented; Table wordlist must be filled manually, but check is present)
Details
1 Product XML (2 Plugins, 14 Phrases, 2 Settings)
2 Template Edits
History
1.0.0
Initial Version
1.0.1
Fixed problem with multiple Datamanager
1.0.2
Changed code to ignore automatically created weak passwords
nexialys
09-15-2005, 12:49 AM
first reply... GNI!
request for future: can this hack be modified to be using AJAX for the verif, instead of javascript plain ?!
thanks for this... greatly appreciate!
Daniel
09-15-2005, 03:08 AM
o0o Very nice!
Andreas
09-15-2005, 11:14 AM
@nexialys
Nope. That would mean having to transfer plaintext Passwords which is a no-no.
sensimilla
09-15-2005, 01:09 PM
great hack :)
bulbasnore
09-19-2005, 11:04 AM
cool, we'll definately need this when we get to 3.5
THANKS for doing this
so in preventing the use of screename as password, which, if any, of these does it prevent?
bulbasnore9
bulba9snore
9bulbasnore
bulbasnoreZ
b.u.l.b.a.s.n.o.r.e.
Also, are there rules for the word list or is the list just matched verbatim (or perhaps case insensitive)?
All we need do with the list is just add a table with the words, yes?
cool, we'll definately need this when we get to 3.5
THANKS for doing this
so in preventing the use of screename as password, which, if any, of these does it prevent?
bulbasnore9
bulba9snore
9bulbasnore
bulbasnoreZ
b.u.l.b.a.s.n.o.r.e.
Also, are there rules for the word list or is the list just matched verbatim (or perhaps case insensitive)?
All we need do with the list is just add a table with the words, yes?
I haven't qutie looked at this in great detail, but adding "dictionary" words... is there a way to mass add them or is it just one at a time?
Andreas
09-19-2005, 11:51 AM
Currently there is no way to add any at all ;)
@bulbasnore
None, as they are all different from your Username
Awe... :( I was looking forward to being bored and adding to it :(
WNxWakko
10-07-2005, 11:06 PM
how will this mod effect someone using password retrival? will it give them a pass not within the critera and then not work?
Andreas
10-07-2005, 11:07 PM
Doesn't have any effect on password reset, only on passwords the user does chose.
WNxWakko
10-07-2005, 11:14 PM
so if they do pass retrival and it doesnt follow the criteria I set, does that mean once they login with the new it will force them to change it?
Andreas
10-07-2005, 11:16 PM
No. As said, it does not have any effect on system generated passwords.
But that's a good point, I hack to think about it if there is smth, that could be done.
Moparx
10-23-2005, 05:17 PM
when the product is enabled and you try to use the Update User Titles and Ranks function the following error is made (i removed the actual paths for this post):
Updating user info...
Processing: 1
Fatal error: Cannot redeclare verify_password_secure() (previously declared in /path/to/includes/class_dm_user.php(163) : eval()'d code:3) in /path/to/includes/class_dm_user.php(163) : eval()'d code on line 3
Andreas
10-23-2005, 08:05 PM
Wrap function verify_password_secure if
if (!function_exists('verify_password_secure'))
{
}
Will update the ZIP soon.
Mastar
10-23-2005, 11:53 PM
Never Mind
first reply... GNI!
request for future: can this hack be modified to be using AJAX for the verif, instead of javascript plain ?!
thanks for this... greatly appreciate!
Nice :) Very good
bigmonay2k
11-13-2005, 02:01 AM
sound good dude
Rabbitoh Warren
11-17-2005, 03:59 PM
This hack appears to interfere with users ability to reset their password should they forget it. I'll have to disable it for now. :(
Andreas
11-17-2005, 04:27 PM
Can you give a little more information about how it does interfere?
That would be useful ...
Mu5icMan
12-15-2005, 09:24 AM
It does indeed interfer with resetting of passwords.
Enter email address to reset password.
Click on link sent to email address to reset password.
Vbulletin comes up with an error:
The Password you have choosen is not considered strong enough. Please make sure that you are using at least 2 different character Classes (Uppercase Characters, Lowercase Characters, Numbers or other Characters).
I see from the link that the password is all numbers and hence will not allow me to reset.
Mu5icMan
01-03-2006, 11:04 AM
anybody going to sort this?
Omranic
01-26-2006, 05:37 PM
anybody going to sort this?
up waiting for fixing for that
lazytown
01-27-2006, 03:18 AM
This is a great mod if the above mentioned problems are fixed (I have not confirmed that they exist, but it seems likely).
Please any update?
Thanks -vissa
It does indeed interfer with resetting of passwords.
Enter email address to reset password.
Click on link sent to email address to reset password.
Vbulletin comes up with an error:
The Password you have choosen is not considered strong enough. Please make sure that you are using at least 2 different character Classes (Uppercase Characters, Lowercase Characters, Numbers or other Characters).
I see from the link that the password is all numbers and hence will not allow me to reset.
fixed by andreas?
seems updated 27 jan
Smiry Kin's
02-05-2006, 01:21 AM
nice one
/me will be installing this soon
vnchannel
03-24-2006, 03:19 PM
Hi Andreas
I installed it. It is useful but I think it need more user-friendly guide. For example, it should show the register a meter of the strength of his password typing. You can see an example of it when you register hotmail.
May you tell me how to add words into word list. Thank you
Anyway this hack is very good to install, I really appreciate.
Thank you, Andreas
thanz bro, this mods's so great :)
dsewebteam
08-24-2006, 01:50 AM
I have installed it in VB 3.6.0 and it's working great, thanks.
Hornstar
01-10-2007, 09:33 AM
I would like this for just my mods smods and admins is there anyway to set this for just them and not anyone else?
also is this working for vb 3.6.4?
and has anyone got the word list yet?
Thanks.
Doc Great
02-22-2007, 06:49 AM
It's working for vb 3.6.4
If there's any interest in a TMS-Product, please send me a pm :-)
dsewebteam
02-26-2007, 07:59 PM
Hey Andreas,
I am now having a problem with this in 3.6.4.
Initially I set the password to expire in 90 days for all users .
Now 90 days have passed and the password is expired the user cannot change it, they have to contact me to change it for them via admincp.
I have checked this myself and it looks like it locks the user out once the password is expired.
What this needs is to send a password expiry email before the password expires.
I have had to turn it off due to too many people contacting me to change their password.
lazytown
03-02-2007, 12:36 PM
Hey Andreas,
I am now having a problem with this in 3.6.4.
Initially I set the password to expire in 90 days for all users .
Now 90 days have passed and the password is expired the user cannot change it, they have to contact me to change it for them via admincp.
I have checked this myself and it looks like it locks the user out once the password is expired.
What this needs is to send a password expiry email before the password expires.
I have had to turn it off due to too many people contacting me to change their password.
So is the mod essentially broken with 3.6.4? I really need this and can't believe VB allows such weak passwords. I need to get all my users to change their passwords (expiry) and then want this mod to force them to make decent ones. Will that not work with this mod?
-vissa
lazytown
03-02-2007, 11:29 PM
Hey Andreas,
I am now having a problem with this in 3.6.4.
Initially I set the password to expire in 90 days for all users .
Now 90 days have passed and the password is expired the user cannot change it, they have to contact me to change it for them via admincp.
I have checked this myself and it looks like it locks the user out once the password is expired.
What this needs is to send a password expiry email before the password expires.
I have had to turn it off due to too many people contacting me to change their password.
Can you detail exactly what happens se we can try to fix this? I want this working on 3.6.4 / 3.6.5 properly. So a user has to change their password. What exactly happens next? Does it work fine if you DON'T use password expiry or is there a problem any time a member tries to change their password?
Thank you
-vissa
lazytown
03-12-2007, 12:21 AM
Well I finally broke down and installed this on 3.6.5. Seems to work fine. I've tested registrations and users resetting their passwords. Those seem to work well as is. I will be testing "password expiry" shortly and report back.
-vissa
stamos2003
11-21-2007, 08:32 AM
installed on 3.6.8 and works fine
though, it would be nice to port this hack to 3.6.8 and especially ad the password check also to the "change password" site at the forum, not only for new signups
harkonen70
11-28-2007, 03:00 PM
installed on 3.6.8 and works fine
though, it would be nice to port this hack to 3.6.8 and especially ad the password check also to the "change password" site at the forum, not only for new signups
I concur .. or make something like this a feature of vb as a whole.
mackers8923
05-09-2008, 12:17 AM
On 3.7, if a user edit their password (that is shorter than specified) gets an error - "Your password is too short..." then returns to the User CP.
In actual fact the password does change - if you try to re-change it you get an error saying "Password entered doesnt match your current one..." If you try the "too short" password it works...
Any ideas?
Joe Siegler
08-11-2008, 06:28 PM
This appears to not completely work with current code.
I really could use the "stop users from having same password as their username" as I was just compromised (http://forums.3drealms.com/vb/showthread.php?p=741938#post741938) this morning.
From reading, I get the impression this doesn't work right with 3.72. Am I correct, or am I not right, and it does work? I really could use this mod like NOW, since I'm now a known target for this kind of behaviour.
Martin Belak
09-22-2008, 08:04 PM
The following solves the "bug" in combination with vB 3.7.3
In modifypassword find:
onsubmit="hash_passwords(
and replace with
onsubmit="return hash_passwords(
/M
joshskeety
12-31-2009, 01:37 PM
How can such a good mod not get updated? Even with that last fix the mod doesn't even appear to check the strength of the passwords.
vBulletin® v3.8.12 by vBS, Copyright ©2000-2024, vBulletin Solutions Inc.