Check password / email on login
22 Aug 2017 11:20 - 25 Aug 2017 09:50 #1
by Rüdiger Schultz
Ruediger Schultz
Schultz IT Solutions
Please support jDBexport on JOOMLA Extension directory (JED) at
extensions.joomla.org/extensions/extensi...ta-reports/jdbexport
Check password / email on login was created by Rüdiger Schultz
In the plugin configuration (available in the system plugin) you can activate the checking of current passwords / emails during the login of your existing users.
This option is ment as a service to your users. It checks their current email addresses or passwords against the 'Have I been pwned?' database, and returns a message to the user, if the email address or password is found there.
If you set the "allow pwned passwords" setting to NO, AND "check on login" to PASSWORD, then the user will be forwarded automatically to the "change password" page with a respective message (but of course only, if the password is found in the 'Have I been pwned?' database).
You can either check passwords OR email addresses during login, but not both in one step.
This is due to the request rate limit, the Have I been pwned? API is imposing. Sending both requests during login would most likely result in a "rate limit exceeded" response.
So we suggest you activate the "password" option in a first phase, and after a while change to the "email" option. Eventually, you should deactivate this option anyway, because there will be no new information for your users anymore.
Background information on this feature
If you activate the "password" option here, the plugin takes the user provided password (before it is encrypted and compared with the stored encrypted string in the database) and checks it against the "Have i been pwned?" database. That means, whatever the user enters into the login/password field will be checked, regardless of whether these credentials are actually correct for the user to login.
If you activate the "email" option here, the plugin takes the email address (from the user's profile data) after the user has successfully logged in.
This option is ment as a service to your users. It checks their current email addresses or passwords against the 'Have I been pwned?' database, and returns a message to the user, if the email address or password is found there.
If you set the "allow pwned passwords" setting to NO, AND "check on login" to PASSWORD, then the user will be forwarded automatically to the "change password" page with a respective message (but of course only, if the password is found in the 'Have I been pwned?' database).
You can either check passwords OR email addresses during login, but not both in one step.
This is due to the request rate limit, the Have I been pwned? API is imposing. Sending both requests during login would most likely result in a "rate limit exceeded" response.
So we suggest you activate the "password" option in a first phase, and after a while change to the "email" option. Eventually, you should deactivate this option anyway, because there will be no new information for your users anymore.
Background information on this feature
If you activate the "password" option here, the plugin takes the user provided password (before it is encrypted and compared with the stored encrypted string in the database) and checks it against the "Have i been pwned?" database. That means, whatever the user enters into the login/password field will be checked, regardless of whether these credentials are actually correct for the user to login.
If you activate the "email" option here, the plugin takes the email address (from the user's profile data) after the user has successfully logged in.
Ruediger Schultz
Schultz IT Solutions
Please support jDBexport on JOOMLA Extension directory (JED) at
extensions.joomla.org/extensions/extensi...ta-reports/jdbexport
The topic has been locked.