Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.7 > vBulletin 3.7 Add-ons

Reply
 
Thread Tools
Password Security Tools Details »»
Password Security Tools
Version: 1.3.2PL1, by John John is offline
Developer Last Online: Nov 2023 Show Printable Version Email this Page

Category: Administrative and Maintenance Tools - Version: 3.7.2 Rating:
Released: 08-12-2008 Last Update: 08-14-2008 Installs: 72
DB Changes Uses Plugins
Re-useable Code Additional Files Translations Is in Beta Stage  
No support by the author.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Security Tools
For vBulletin 3.7.0 and above
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A product designed to combat the recent increase in weak password attacks by spammers.

For background information, read the following threads:
http://www.vbulletin.com/forum/showthread.php?t=278975
http://www.vbulletin.com/forum/showthread.php?t=281371

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Problem
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The problem stems from the fact that vBulletin doesn't check the quality of a user's password when registering or changing the password in the User CP. As a result, users are able to choose easily guessable passwords to protect their account. The most common passwords are things like "password", "12345", "qwerty", "letmein", as well as the user's own username. On a large forum, these poorly protected accounts can number hundreds or even thousands, and this has shown itself to be a prime opportunity for spammers to exploit. With a relatively simple script, spammers are able to scrape the member list from your forum and automatically validate which of the accounts have such passwords. A spammer with access to tens, hundreds or thousands of legitimate user accounts is a situation you don't want to be in.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What This Does
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This product has two main functions.
1. It prevents users from using their own username as a password, or any other commonly used word. (An editable list of banned passwords is available in the Admin CP.) The same rules apply if a user tries to change their password after registration.
2. It provides you with a tool to identify existing user accounts that have bad passwords, and lets you reset those passwords. Emails will be automatically dispatched to affected users notifying them of the change, and providing instructions on how to gain access to their account.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Installation
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To install:
1. Upload cpnav_passrepair.xml to includes/xml/
2. Upload passsec.php to admincp/
3. Upload product-passrepair.xml to your Admin CP as a product
4. Enable the product in vBulletin Options

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Scanner - Usage Notes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The password scanning portion of this product is a utility designed for use by administrators. There are a few things to be aware of.
1. BACK UP YOUR DATA BEFORE USING THIS SCRIPT.
2. It's not a tool designed for frequent usage, it's a quick and dirty way of getting the job done. If Jelsoft don't address this issue, I might return to it and optimize the password scanner to make it a little less server intensive. Use it sparingly, and close your forums before commencing a scan.
3. The password scanner has the potential to send out a lot of email. Use the "Users Per Page" setting to process accounts at whatever rate you deem your server capable of handling.
4. After you've installed this product it'll be impossible for users to register using a blacklisted or invalid password (or to change it to one afterwards). As a result, you should only need to use the password scanner once. Feel free to remove the passsec.php and cpnav_passrepair.xml files from your server once you're done with the scanner, the rest of the product will still function.
5. For unattended bulk processing of accounts, there's some javascript in passsec.php that's currently commented out. Use it at your own risk.

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
markslevent

Comments
  #22  
Old 08-13-2008, 07:52 PM
nightbloom's Avatar
nightbloom nightbloom is offline
 
Join Date: Mar 2008
Location: Whidbey Island, WA
Posts: 145
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

So I used it and it just reloaded and said process complete. Does that mean that it didnt find a single bad password? You should probably have something that says it worked and found nothing if that is indeed what happened.

Because we hide links from users, Im surprised that not a single person would have made a "junk" account just to DL something.... so Im wondering if maybe Ive made some kind of mistake or have an incompatibility.
Reply With Quote
  #23  
Old 08-13-2008, 08:06 PM
b00k b00k is offline
 
Join Date: Feb 2005
Posts: 251
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

-----------
Reply With Quote
  #24  
Old 08-14-2008, 12:55 AM
Elenna Elenna is offline
 
Join Date: Jan 2006
Location: St. Charles, MO
Posts: 422
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It would also be wonderful to see a listing of people before they are emailed, so that you can notify them personally if they are a moderator, etc, and you'd want them to change their password before you implement the security measures.

Also, one of our moderators has two accounts with the same email address. I don't have specifics yet, but he is reporting problems with changing his second account's password.
Reply With Quote
  #25  
Old 08-14-2008, 01:52 AM
John's Avatar
John John is offline
 
Join Date: Mar 2002
Location: Norwich, UK
Posts: 1,543
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Elenna View Post
It would also be wonderful to see a listing of people before they are emailed, so that you can notify them personally if they are a moderator, etc, and you'd want them to change their password before you implement the security measures.

Also, one of our moderators has two accounts with the same email address. I don't have specifics yet, but he is reporting problems with changing his second account's password.
If you have 1.3.2 installed you can use the Ignore Usergroup setting to bypass usergroups from the scan. I'd recommend adding your mod usergroup ids, and perhaps posting a thread in your mod forum telling everyone to make sure their passwords are hard to guess.

As for users with duplicate email addresses, the only way to handle that is on a case by case basis.
Reply With Quote
  #26  
Old 08-14-2008, 06:16 AM
Hornstar Hornstar is offline
 
Join Date: Jun 2005
Location: Australia
Posts: 2,469
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

fantastic work! I will give this a go in a sec. I too would love to see this merged with the ajax registration mod (but guess he will have to add to his). I will install this one now to send out the emails tho.

Edit: Just realized this was released by John ^^ great to see you back
Reply With Quote
  #27  
Old 08-14-2008, 06:33 AM
Hornstar Hornstar is offline
 
Join Date: Jun 2005
Location: Australia
Posts: 2,469
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

uploaded files. installed product, set it up in vboptions. then went to admincp/passsec.php page and just got a blue blank page with Password Security Tools written at the top and nothing else.

How do I run the scanner?


Edit, refreshed admincp and saw the password security tools tab show up ^^



Users with usernames as passwords: 5214 Users with common passwords: 8801
WOW lol, glad I got to use this before those spammers did.



EDIT: didnt work, I got a database error

Quote:
Database error in vBulletin 3.7.2:

Invalid SQL:
UPDATE user SET password='d8081298facbac11db76c31b92ff6f25' WHERE userid=2;

MySQL Error : Table '*****_backup.user' doesn't exist
Error Number : 1146
Request Date : Thursday, August 14th 2008 @ 03:36:04 AM
Error Date : Thursday, August 14th 2008 @ 03:36:04 AM
Script : http://www.gamerzneeds.net/forums/ad...?do=dopassscan
Referrer : http://www.gamerzneeds.net/forums/ad...reparepassscan
IP Address :
Username :
Classname : vB_Database
MySQL Version : 5.0.45-community
Reply With Quote
  #28  
Old 08-14-2008, 09:59 AM
RedTrinity's Avatar
RedTrinity RedTrinity is offline
 
Join Date: Mar 2008
Location: QLD, Australia
Posts: 265
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by John View Post
Ah, missed a table prefix. Download the zip again, and overwrite passsec.php.
Thanks for your support. I re-downloaded the ZIP, overwrote the old file with the new one and then re-imported the xml but am getting the same error, in the same place, as before
Reply With Quote
  #29  
Old 08-14-2008, 01:23 PM
DeepXP DeepXP is offline
 
Join Date: Apr 2005
Location: India
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I must say you have developed one of the best plugins out there. My forum was taken over by these spammers and with the help of your plugin, I could reset all the weak usernames.

Great work and thanks again for the effort.

Regards,
Deep
Reply With Quote
  #30  
Old 08-14-2008, 01:39 PM
Joe Siegler's Avatar
Joe Siegler Joe Siegler is offline
 
Join Date: Feb 2006
Posts: 71
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by TSR View Post
John, great work!

I just ran this on one of my bigboards and it ran flawless.
(vBulletin 3.7.2)

One suggestion, what about a report to the admin on all the accounts affected?

That would be a neat little feature.

Thanks again!
That's shown on screen to you if you sit there and watch it.
Reply With Quote
  #31  
Old 08-14-2008, 07:53 PM
benstafford benstafford is offline
 
Join Date: Jan 2007
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Has anyone tried this with 3.6 yet? I saw the earlier posts from MGSteve about trying to get it to work by modifying the XML file, but he didn't reply back on success or failure.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:14 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05288 seconds
  • Memory Usage 2,314KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (1)post_thanks_box_bit
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete