Administrative and Maintenance Tools - Password Security Tools

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Security Tools
For vBulletin 3.7.0 and above
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A product designed to combat the recent increase in weak password attacks by spammers.

For background information, read the following threads:
http://www.vbulletin.com/forum/showthread.php?t=278975
http://www.vbulletin.com/forum/showthread.php?t=281371

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Problem
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The problem stems from the fact that vBulletin doesn't check the quality of a user's password when registering or changing the password in the User CP. As a result, users are able to choose easily guessable passwords to protect their account. The most common passwords are things like "password", "12345", "qwerty", "letmein", as well as the user's own username. On a large forum, these poorly protected accounts can number hundreds or even thousands, and this has shown itself to be a prime opportunity for spammers to exploit. With a relatively simple script, spammers are able to scrape the member list from your forum and automatically validate which of the accounts have such passwords. A spammer with access to tens, hundreds or thousands of legitimate user accounts is a situation you don't want to be in.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What This Does
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This product has two main functions.
1. It prevents users from using their own username as a password, or any other commonly used word. (An editable list of banned passwords is available in the Admin CP.) The same rules apply if a user tries to change their password after registration.
2. It provides you with a tool to identify existing user accounts that have bad passwords, and lets you reset those passwords. Emails will be automatically dispatched to affected users notifying them of the change, and providing instructions on how to gain access to their account.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Installation
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To install:
1. Upload cpnav_passrepair.xml to includes/xml/
2. Upload passsec.php to admincp/
3. Upload product-passrepair.xml to your Admin CP as a product
4. Enable the product in vBulletin Options

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Scanner - Usage Notes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The password scanning portion of this product is a utility designed for use by administrators. There are a few things to be aware of.
1. BACK UP YOUR DATA BEFORE USING THIS SCRIPT.
2. It's not a tool designed for frequent usage, it's a quick and dirty way of getting the job done. If Jelsoft don't address this issue, I might return to it and optimize the password scanner to make it a little less server intensive. Use it sparingly, and close your forums before commencing a scan.
3. The password scanner has the potential to send out a lot of email. Use the "Users Per Page" setting to process accounts at whatever rate you deem your server capable of handling.
4. After you've installed this product it'll be impossible for users to register using a blacklisted or invalid password (or to change it to one afterwards). As a result, you should only need to use the password scanner once. Feel free to remove the passsec.php and cpnav_passrepair.xml files from your server once you're done with the scanner, the rest of the product will still function.
5. For unattended bulk processing of accounts, there's some javascript in passsec.php that's currently commented out. Use it at your own risk.

[RedTrinity]

Quote:

Originally Posted by John

Try the attached passsec.php in the above post.

Thanks John, works great now!!! 12 out of 1,009 members isn't too bad I suppose

Great mod, thanks again for sharing it with us

[sinucello]

Hi,

for some reason the phrase:

Code:

<phrasetype name="Access Masks" fieldname="accessmask">
			<phrase name="username_cannot_equal_password" date="1218509082" username="John" version="1.0.0"><![CDATA[Your password cannot be the same as your username.]]></phrase>
		</phrasetype>

couldn`t be found and I had to add a new phrase with the same name for the product "vBulletin", phrase type "Error Messages" to make the error message appear in the user-registration dialogue.

all the best,
Sacha

[sinucello]

Hi,

hm, is it correct that vBulletin doesn`t offer an option to set the min. password length? If so, could you add that as a feature for your mod?

all the best,
Sacha

[John]

Quote:

Originally Posted by sinucello

Hi,

hm, is it correct that vBulletin doesn`t offer an option to set the min. password length? If so, could you add that as a feature for your mod?

all the best,
Sacha

For some reason the vBulletin developers think that client-side hashing is a more valuable feature than being able to prevent poor quality passwords from being used by members. vBulletin's client-side hashing feature means that it's impossible to do any checks on the password, since it never reaches the server in clear text form. If someone intercepts your network traffic they can still gain access to your account using the md5 hash. The only protection offered is that in the rare event that this happens, the original clear text password won't be discovered. (Following the safe practice of using different passwords on different sites thwarts this.)

Anyway, the short answer is no - without disabling client-side md5 hashing it's impossible to check password length.

[sinucello]

Hi,

Quote:

Originally Posted by John

Anyway, the short answer is no - without disabling client-side md5 hashing it's impossible to check password length.

thanks very much for your detailed answer. I added a password info-text, use your editable list of banned passwords and hope that someday the devs will change their minds.

all the best,
Sacha

[Hornstar]

finally vb will be adding this to there next release later this week (or next)

[puertoblack2003]

just curious now that vb implement this should this hack be required? or keep it as an extra secured feature?

[lord_of_chaos]

VB doesn't check for common words.

[Alfa1]

Does this hack needs to be updated, now that vbulletin has implemented part of the functionality? I assume that they coded it in a different way than John did.

Is there or will there be, a password strength bar?

[sinucello]

Hi,

Quote:

Originally Posted by Alfa1

Does this hack needs to be updated, now that vbulletin has implemented part of the functionality? I assume that they coded it in a different way than John did.

Is there or will there be, a password strength bar?

I just upgraded to 3.7.3 with this mod installed. Everything works but the "username/pw have to be unique" error message will appear twice. So I disabled the mod though vB doesn`t have the list of unwanted passwords feature.

hth,
Sacha