01-12-2019, 05:39 PM
I think that registration, change password, and login should check a user's password against HaveIBeenPwned. Their API (supporting KAnonymity meaning they don't see the actual password or specific user) lets you do this easily, there's even a PHP package for it (https://github.com/DragonBe/hibp). This would improve account security and reduce the number of hacked MyBB accounts. Before someone says this could be a plugin, I disagree, why isn't StopForumSpam a plugin, why isn't Google's recaptcha a plugin? The justification is clear.
Software Engineer specializing in Crystal Program Development