Miscellaneous Hacks - Password Strength Check

What is it?
----------------------------
This mod adds a check for password strength at registration and when a user changes their password. You can specify the minimum length and number of upper case, digits, and other characters you want to require (see screen grab 3), or you can choose a minimum score to allow (based on length and types of characters included, see screen grab 4).

Installation:
----------------------------
1) Upload the files in the upload directory to the appropriate locations.

2) In the Product Manager in AdminCP, import the product XML file (product-kh99_passwords.xml).

3) In the admincp, go to "[kh99] Password Policy Options" and select the options you want.

Uninstalling:
----------------------------
1) Uninstall the product from the Product Manager in the AdminCP.

2) Remove the uploaded files.

Notes:
----------------------------
1) Tested on vb3.8.8. I also test a bit on vb3.8.2 (mostly for php version compatibility) and it seems to work.

History:
----------------------------
0.9.0 (October 14, 2013) - Initial Release

[kh99]

Quote:

Originally Posted by Alfa1

Its not showing up on /profile.php?do=editpassword
What do I need to add to the template?

ReCaptcha is no longer showing up on registration now that this is added.

Hmm...I'm not sure what's going on there. If it's affecting the recaptcha, then it might be a javascript problem. You could check the browser error console to see. Unfortunately I don't have time right now to support these mods.

[Alfa1]

I understand. Thanks for making this addon.
However, vbulletin is getting too outdated and insecure for me. I am seeing hack attacks left and right and my big board has recently seen a massive attack using IPv6 vulnerability. I need to get off vbulletin ASAP.

[Dave]

IPv6 vulnerability? Are we talking about DDoS attacks here?
vBulletin can't be blamed for DDoS attacks or a IPv6 vulnerability, unless it actually abuses a vBulletin vulnerability.

[Alfa1]

See here: https://theadminzone.com/threads/vbu...counts.136907/

[kh99]

Quote:

Originally Posted by Alfa1

See here: https://theadminzone.com/threads/vbu...counts.136907/

I didn't read that entire thread because I have no interest in the bickering. I also don't know a lot about ipv6, but it seems to me if I were running vbulletin on a server that was reachable via ipv6, I'd configure the web server to listen only to the ipv4 address, then remove any ipv6 DNS records from my domain name. It seems like that would avoid the issue until ipv4 doesn't work any more. But maybe there's some reason I don't understand for not doing that.

[VIP Hawaii]

I don't know what happened, but, early on in my installation of VBulletin and various products, I installed your Password Strength Check mod .... after some 6 months of work, all of a sudden the 180 day password expiration message popped up ... I went, 'ugh', and figured OK I'll just change the password, or if I don't want this message popping up, I'll just disable the product so I can log in again ...

Since at that moment I still had a current cookie-supported AdminCP login, I tried a few things : Apparently just disabling the product from within its own AdminCP controls did not work, so I tried disabling it from Products Manager ... that didn't work either so I tried to uninstall the product from Products Manager, then removing all the files that were installed ... : that didn't work either!

I finally thought, OK, so somehow this product had 'seen' that my password was 180 days old so it set something into some database file making it so I had to change my password ... so I'll try setting Windows back 14 days so I can fool this product into thinking it's not 180 days yet, then log into the AdminCP, uninstall this product, then change the clock back, and log in again (I also rebooted the computer etc. before trying to log in again) ... even after uninstall and removal of all the product files, as you direct to do in your UNINSTALL instructions, I still cannot log in, getting that "your password is 18x days old" message ... when I click on the link to reset the password, the link will say it's sent my password, but for whatever reason the built-in email function in Vbulletin isn't working ... I even set up HMail server but that doesn't seem to be sending me the mail either... cannot log into the site let alone the AdminCP so without setting the clock back again and trying another login I will not be able to ever get back into the AdminCP ... HOW DO I ***REALLY*** UNINSTALL THIS PRODUCT? If it causes this kind of damage potentially, it should be QUARANTINED ...

I should also mention that I have tried disabling all hooks in /includes/config.php and also had "undeletable users" set for my Administrator account (how then can it have changed my 'old' password then? I thought that config.php rules 'RULED' over all other settings!!!))) ... whenever I would try to paste in my 'old' password (which is definitely correct!) to change the password, I'd get a message saying I had not typed my *current* password in correctly! I have also tried removing all related cookies, restarting Firefox, again, no go. Tried of course, restoring older versions of the database (after installation of this mod but before the 180 days had passed), resetting the clock backwards, then forwards, still no go. Tried logging in using tools.php ... this seemed to work once, then would not work again ... still can't get in. I finally tried resetting the clock to present time, then tried tools.php Admin restore, then tried going to the password modification page this mod presents ... I removed whatever was in the 'old password' field, put in my newer password after having changed it in AdminCP at some point ... no go. Tried putting in the OLD password, and for some reason (still unknown to me), I was able to change the password ... then tried logging out, then in again as Administrator and was able to log into AdminCP ... right at the moment things look pretty normal again ... but : (soap opera music plays) 1. Will I be able to uninstall this thing successfully? 2. Will I get locked out again in about 6 months? 3. Will I be able to get back in again? 4. Will this happen to my other users? 5. Will this mod ever be fixed and updated?

Hey, I can understand if someone does not have the time to support a mod they have created, but when that mod has the capability of LOCKING OUT THE ADMIN, that no-support policy should be changed for that mod, at least until it's fixed.

VIP

[kh99]

First, I'm sorry that you're having problems. The fact is that while I won't rule out ever making ny changes or releasing fixes, at this point you'd have to consider all my mods as unsupported. And you're right, if one of them has an issue it should be quarantined, although I think that may only done for security issues and not for bugs.

That said, if I understand you correctly you seem to believe that the "Your password is 180 days old" screen is displayed by my mod, but it's not, that's a feature of vbulletin. It can be turned off by a setting somewhere I believe, but I have no way of finding which one right now. Maybe I'mm not understanding what you're saying, because I don't really understand why you didn't just change your password.