Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.7 > vBulletin 3.7 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Password Security Tools Details »»
Password Security Tools
Version: 1.3.2PL1, by John John is offline
Developer Last Online: Nov 2023 Show Printable Version Email this Page

Category: Administrative and Maintenance Tools - Version: 3.7.2 Rating:
Released: 08-12-2008 Last Update: 08-14-2008 Installs: 72
DB Changes Uses Plugins
Re-useable Code Additional Files Translations Is in Beta Stage  
No support by the author.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Security Tools
For vBulletin 3.7.0 and above
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A product designed to combat the recent increase in weak password attacks by spammers.

For background information, read the following threads:
http://www.vbulletin.com/forum/showthread.php?t=278975
http://www.vbulletin.com/forum/showthread.php?t=281371

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Problem
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The problem stems from the fact that vBulletin doesn't check the quality of a user's password when registering or changing the password in the User CP. As a result, users are able to choose easily guessable passwords to protect their account. The most common passwords are things like "password", "12345", "qwerty", "letmein", as well as the user's own username. On a large forum, these poorly protected accounts can number hundreds or even thousands, and this has shown itself to be a prime opportunity for spammers to exploit. With a relatively simple script, spammers are able to scrape the member list from your forum and automatically validate which of the accounts have such passwords. A spammer with access to tens, hundreds or thousands of legitimate user accounts is a situation you don't want to be in.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What This Does
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This product has two main functions.
1. It prevents users from using their own username as a password, or any other commonly used word. (An editable list of banned passwords is available in the Admin CP.) The same rules apply if a user tries to change their password after registration.
2. It provides you with a tool to identify existing user accounts that have bad passwords, and lets you reset those passwords. Emails will be automatically dispatched to affected users notifying them of the change, and providing instructions on how to gain access to their account.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Installation
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To install:
1. Upload cpnav_passrepair.xml to includes/xml/
2. Upload passsec.php to admincp/
3. Upload product-passrepair.xml to your Admin CP as a product
4. Enable the product in vBulletin Options

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Password Scanner - Usage Notes
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The password scanning portion of this product is a utility designed for use by administrators. There are a few things to be aware of.
1. BACK UP YOUR DATA BEFORE USING THIS SCRIPT.
2. It's not a tool designed for frequent usage, it's a quick and dirty way of getting the job done. If Jelsoft don't address this issue, I might return to it and optimize the password scanner to make it a little less server intensive. Use it sparingly, and close your forums before commencing a scan.
3. The password scanner has the potential to send out a lot of email. Use the "Users Per Page" setting to process accounts at whatever rate you deem your server capable of handling.
4. After you've installed this product it'll be impossible for users to register using a blacklisted or invalid password (or to change it to one afterwards). As a result, you should only need to use the password scanner once. Feel free to remove the passsec.php and cpnav_passrepair.xml files from your server once you're done with the scanner, the rest of the product will still function.
5. For unattended bulk processing of accounts, there's some javascript in passsec.php that's currently commented out. Use it at your own risk.

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
markslevent

Comments
  #52  
Old 12-31-2008, 04:14 PM
LCN2007 LCN2007 is offline
 
Join Date: Jul 2007
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

so vb does this now? what version?

From what i read in this thread it seems that this mod is better since it includes bad word list.
Reply With Quote
  #53  
Old 12-31-2008, 04:21 PM
LCN2007 LCN2007 is offline
 
Join Date: Jul 2007
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I looked up the vb update.
Quote:
Username=Password Disallowed

In this release, users will no longer be allowed to set their username and passwords to the same value. Users who already have a password that is the same as their username will be forced to change their password on their next login. Additionally, a tool has be added to the Admin Control Panel to email affected users with a new password. Please be aware of these potential compatibility changes when upgrading.
I still think that this mod is still better than what vb has done since they only addressed 1/2 the problem and since i haven't upgrade to 3.7.3 yet. I need to renew my vb membership.

I just wish there was a way to mandate a min password length on the forum.

Great mod John thank you for this.
Reply With Quote
  #54  
Old 02-11-2010, 05:57 PM
MessageParis1 MessageParis1 is offline
 
Join Date: Dec 2008
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by LCN2007 View Post
I looked up the vb update.


I still think that this mod is still better than what vb has done since they only addressed 1/2 the problem and since i haven't upgrade to 3.7.3 yet. I need to renew my vb membership.

I just wish there was a way to mandate a min password length on the forum.
Apologies for reviving such an old thread, but I just discovered this add-on and it works great with my 3.8.4 installation. However I wanted to do at least something to enforce a minimum password length, so I modified the verify_passwords javascript function in the register template (changes are in red):


Code:
<script type="text/javascript">
function verify_passwords(password1, password2, minlength)
{
	// do various checks, this will save people noticing mistakes on next page
	if (password1.value == '' || password2.value == '')
	{
		alert('$vbphrase[fill_out_both_password_fields]');
		return false;
	}
	else if (password1.value != password2.value)
	{
		alert('$vbphrase[entered_passwords_do_not_match]');
		return false;
	}
	else if (password1.value.length < minlength)
	{
		alert('Your password is too short. It has to be at least ' + minlength + ' characters');
		return false;
	}

	else
	{
		<if condition="$show['coppa']">
		pass_copy = password1.value;
		passconfirm_copy = password2.value;
		</if>

		var junk_output;

		md5hash(password1, document.forms.register.password_md5, junk_output, $show[nopasswordempty]);
		md5hash(password2, document.forms.register.passwordconfirm_md5, junk_output, $show[nopasswordempty]);

		<if condition="$show['coppa']">
		document.forms.register.password.value = pass_copy;
		document.forms.register.passwordconfirm.value = passconfirm_copy;
		</if>

		return true;
	}
	return false;
}
</script>
and immediately after in the same register template:

Code:
<form action="register.php?do=addmember" name="register" method="post" onsubmit="return verify_passwords(password, passwordconfirm, 8);">
Reply With Quote
  #55  
Old 12-01-2010, 10:32 PM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

the MOD states: "After confirming your email address is valid, we'll send you your new password." in an email to users, but I don't see anywhere how many characters the new/generated Password is. I assume it's a random mix of letters/numbers, but how l-o-n-g is the password it refers to?
Reply With Quote
  #56  
Old 12-02-2010, 02:34 AM
adwade adwade is offline
 
Join Date: Aug 2006
Location: SouthEast, TN
Posts: 323
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by MessageParis1 View Post
Apologies for reviving such an old thread, but I just discovered this add-on and it works great with my 3.8.4 installation. However I wanted to do at least something to enforce a minimum password length, so I modified the verify_passwords javascript function in the register template
That worked PERFECTLY, but I have one other question. If a user chooses to later revise their password via the UserCP (i.e. profile.php?do=editpassword function) then they are no longer held to an 8 Character Minimum Length password since this type CODE does not exist there.

Does anyone have an idea as to what additional CODE one would need to insert into the profile.php file to force users to always update their passwords using at least 8 characters? Or should such revisions be made in the modifypassword template?
Reply With Quote
  #57  
Old 11-29-2012, 09:29 AM
markslevent markslevent is offline
 
Join Date: Jan 2012
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks a lot.It worked for me on 3.8.7.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:33 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05391 seconds
  • Memory Usage 2,280KB
  • Queries Executed 21 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (7)post_thanks_box
  • (1)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (6)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete