Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
Update new install option defaults to more recommend values:
Enforce password complexity for admins
Enable "Length check by default, and set the "Minimum length" to 8
Enable "Pwned password password validation" by default
Update compromised password alert text to be less awkward
On updating passwords, remove any compromised password alerts to avoid user confusion
Add "Force email two factor authentication on compromised password" option (default disabled)
Add "Pwned password minimum count (soft)" option.
This allows a user to change a password to a known compromised value which is under a given number of known hits. This still generates compromised password alerts
Force global namespace for functions which are known to be optimizable to bytecode in php, or known global functions to avoid a current namespace lookup for the function.
Add "On login; alert the user if they have a known compromised password" option (default enabled)
Add "Minimum time between triggering compromised password alerts on login" option (default 24 hours)
![[Xon] Password Tools](/data/resource_icons/0/143.jpg?1720149240){kind=icon}