MyBB Community Forums Development Suggestions and Feedback v
[New Feature] Check passwords againist HaveIBeenPwned

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
New Feature Check passwords againist HaveIBeenPwned
Lunorian Offline
Internet Philosopher
****
Posts: 710
Threads: 126
Joined: May 2016
Reputation: 25
#1
01-12-2019, 05:39 PM
I think that registration, change password, and login should check a user's password against HaveIBeenPwned. Their API (supporting KAnonymity meaning they don't see the actual password or specific user) lets you do this easily, there's even a PHP package for it (https://github.com/DragonBe/hibp). This would improve account security and reduce the number of hacked MyBB accounts. Before someone says this could be a plugin, I disagree, why isn't StopForumSpam a plugin, why isn't Google's recaptcha a plugin? The justification is clear.
Software Engineer specializing in Crystal Program Development

Find
Reply
Omar G. Offline
ლ(ಠ_ಠლ)

Development
Posts: 7,742
Threads: 293
Joined: Jan 2010
Reputation: 292
#2
01-12-2019, 07:35 PM
I would rather include a password strength check as core.
https://github.com/bjeavons/zxcvbn-php
Website Find
Reply
Serpius Offline
Posting Freak
*****
Posts: 1,738
Threads: 61
Joined: Dec 2016
Reputation: 83
#3
01-13-2019, 08:55 AM
(01-12-2019, 05:39 PM)Lunorian Wrote: Before someone says this could be a plugin, I disagree, why isn't StopForumSpam a plugin, why isn't Google's recaptcha a plugin? The justification is clear.

StopForumSpam protects against SPAM, not illegal/hacked MyBB accounts. Anti-spam is the primary goal of this option.

Google's Recaptcha protects against posting bots (illegal or otherwise) and that is the primary goal of this option. This option has nothing to do with dealing with illegal/hacked MyBB accounts.

If you want the 'HaveIBeenPwned' option to be added into the MyBB core programming, then you have to go through the proper channels, like THIS FORUM for your suggestions to be implemented.

Then the MyBB development team will decide whether or not this is justified. 

If this is justified, then the proper code will be added into MyBB's core programming.
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: 5M7sb0n.png?1]
Website Find
Reply
Ben Cousins Offline
Arbitrarily Abrasive
*****
Posts: 2,951
Threads: 56
Joined: Dec 2011
Reputation: 101
#4
01-13-2019, 08:58 AM
(01-13-2019, 08:55 AM)Serpius Wrote: StopForumSpam protects against SPAM, not illegal/hacked MyBB accounts. Anti-spam is the primary goal of this option.

This is correct. Moreover, and not mentioned here, is that SFS also used to be a 1.6 plugin, and was added into core in 1.8, as it is, actually, a useful feature.
[Image: kAhpvOW.png]
Website Find
Reply
Euan T Offline
MyBB Team

Development

Security

Web
Posts: 15,134
Threads: 238
Joined: Jun 2009
Reputation: 678
#5
01-13-2019, 03:00 PM
I would like to see a plugin available first to gauge how much use it gets and to allow the code to be refined outside of the core. It can always then be integrated in later versions if it gets enough use and there's a clear reason to do so.
Website Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)