- Reduce queries when triggering forced email 2fa
- Prevent rare DuplicateKeyException when forcing email 2fa and multiple tabs are being used
Thanks to @NamePros for sponsoring this update.
- Update compromised password alert text to be less awkward
- On updating passwords, remove any compromised password alerts to avoid user confusion
- Add "Force email two factor authentication on compromised password" option (default disabled)
- Add "Pwned password minimum count (soft)" option.
This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates compromised password alerts
- Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
- Add "On login; alert the user if they have a known compromised password" option (default enabled)
- Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)
- Requires php 7.0+
- Now depends on Standard Library by Xon
- Supports XF2.2+
- Fix "Undefined index: match_sequence" error when "Force Reject" option is enabled
- Ensure Haveibeenpwned API failures are logged to XF"s error log, while giving the end user a generic message. XF sanitizes password data out of the error log entries, so this is safe.
- Require XF2.1, drop XF2.0 support and use built in composer support.
- Update zxcvbn-php library to be more inline with zxcvbn-js
- Fix incorrect phrase being used on haveibeenpwned api failure
- Add add-on & options icon
- Fix issue blocking user login when the user's password storage requires upgrading and they have a weak password.