0.4.0

  • Added option to restrict pwned admin privileges
  • New PwnedPasswordDetected event
  • Now requires beta 12 or up

Updating

composer update fof/pwned-passwords
8 months later

0.5.0

  • beta 14 ready 🥳
Updating
composer require fof/pwned-passwords
php flarum cache:clear
a month later
12 days later
3 months later

0.7.0 🔐

  • Updated for beta 16

Updating

composer require fof/pwned-passwords:"*"
22 days later

Hi thanks for maintaining this extension. Do you think we could alter the wording a bit and provide a link on the error message so people actually know how the extension works? Or better still you could provide a way for the Flarum admin to change the error message in the settings and link to their own privacy page?

A lot of people when they read "The password you chose is registered in the Pwned Passwords database, please choose a different one" will draw incorrect conclusions, e.g. that I sent their password to a 3rd-party. I'd prefer a message like: "Your password failed a compromised database check."

    Valeyard Do you think we could alter the wording a bit

    This can currently be accomplished if you have fof/linguist installed 🙂 all relative translation keys for this extension can be found here for reference.

    We do not currently have plans to add options to alter the wording via extension settings.

      a month later
      2 months later

      Just want to check, what happens to me are normal.

      If user A, use 12345678 as their password,

      Then user B won't be register with 12345678 as password.

      I thought this extension is meant to prevent A using the same password when A is changing password.

      Thanks in advance for your attention. 😀

        ash3T This extension has nothing to do with users having the same password or changing to a previous password. This extension checks your password against an existing database of passwords exposed in data breaches, and prevents users from changing their password to one that has been in a data breach.

            ash3T see David answer but just as an aside, what you describe isn't possible without compromising security.

            To tell if a user is using the same password as another user would require not salting the password hashes, which opens you to Rainbow Table attacks if your database is ever stolen https://en.wikipedia.org/wiki/Rainbow_table

                5 months later

                I don't know if is a bug or not, but even changing the password to a different one, the message:

                Your account's current password is registered in the Pwned Passwords database. We've sent a password reset email to you.

                keep showing to me

                  louanbastos did you try a completely random password generated from a password manager?

                  The Pwned Passwords database contains a huge list of password, if it's not random there's a chance it's already in the database.

                      clarkwinkelmann I create a similar password for test, example, my previous password was abc123 and I changed to abc123@#. And keep showing to me my password as pwned.

                        Yes, password database is https://haveibeenpwned.com/Passwords . You can test the password over there to see if there's a difference of behavior with the extension.

                        To generate a random password for testing, most password managers and web browsers will offer to generate a password when you focus a password field, but otherwise you can use an online generator like DuckDuckGo's instant answer https://duckduckgo.com/?q=password+16+strong&ia=answer

                          clarkwinkelmann

                          I tested my password through the indicated link, and it wasn't leaked, unfortunately a long time ago my email was leaked, however, being a leaked email and password not being leaked, the message keeps showing up, and this is a little annoying.

                              4 months later