- Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
- Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
- Rename various options to be better searchable
- Adjust various option defaults to be more robust.
- 'Minimum password length' from 8 => 10 characters
- 'Minimum password strength' from 'very weak' to 'weak'
- 'Pwned password...
- Require StandardLib v1.18.0+
- Add new "User-group for compromised passwords" option, which adds uses to the selected user-group when it is detected they have a compromised password on login.
Defaults to disabled. Useful for targeting with notices
- Fix changing user entity while a write is pending in some cases
- Add "Use rejected password fragments in password meter" option (default disabled).
Take rejected password fragments into consideration when showing the password strength meter to the user.
Security note: this makes the full list of rejected password fragments visible to end users; ensure that there aren't any sensitive password fragments before enabling.
- Add "Force password reset on compromised password" option
- This option is likely overkill for most sites, and is not generally recommended
Require standardLib v1.20.0+
Restore XF2.1 support, note front-end Zxcvbn requires XF2.2+
Support XF2.3+
php 8.4+ compatibility
Fix javascript error when using XF2.3
- Fix javascript error for XF2.2
php 8.4+ compatibility fixes
Rename option "Password check types" to "New password validation rules"
Add "On login; consider known-bad passwords as compromised" option (default false)
Add new password validation rule "Prevent passwords which contain the user's email or username, and the site's domain/name." (default false)