![[Xon] Password Tools](/data/resource_icons/0/143.jpg?1720149240){kind=icon}
Require StandardLib v1.23.0+
Add Custom 2fa device trust lifetime option (default disabled)
Phrase to customize: svPasswordTools_trust_device_desc_x / svPasswordTools_trust_this_device_for_30_days_x
Only plural phrases, because why would you force 2fa to 1 day. That is horrible.
Require StandardLib v1.22.0+
Reduce pwnedpassword check HTTP request time-out from 2 seconds to 1 second as this blocks the login request, the request should only take a few 10s of milliseconds, so fail faster instead of waiting
Add password test page, this tests all the ways a password could fail including methods which aren't enabled
Fix internal server error when registering an account without an email address (requires 3rd party addon to trigger)
- Fix server error when a password is very long
- Add "Force two-step verification" permission
- If enabled for a user, prevents email 2fa from being disabled
- For new installs add a "User has compromised password" user-group, and update the "User-group for compromised passwords" option to use it
- Align defaults with NIST Password Guidelines for 2024
- Update "New password validation rules" defaults. "Prevent passwords which contain the user's email or username, and the site's domain/name" defaults to true
- Update "Minimum password length" default to 15
php 8.4+ compatibility fixes
Rename option "Password check types" to "New password validation rules"
Add "On login; consider known-bad passwords as compromised" option (default false)
Add new password validation rule "Prevent passwords which contain the user's email or username, and the site's domain/name." (default false)
Require standardLib v1.20.0+
Restore XF2.1 support, note front-end Zxcvbn requires XF2.2+
Support XF2.3+
php 8.4+ compatibility
- Add "Force password reset on compromised password" option
- This option is likely overkill for most sites, and is not generally recommended