- Fix "Minimum time between triggering compromised password alerts on login" operating in seconds instead of hours
- Fix cases where email 2fa would not be forced enabled on the first login request after a password is discovered as compromised
- Rename various options to be better searchable
- Adjust various option defaults to be more robust.
- 'Minimum password length' from 8 => 10 characters
- 'Minimum password strength' from 'very weak' to 'weak'
- 'Pwned password minimum count (soft)' from 1 to 0
- 'Pwned password minimum count (hard)' from 2 to 1
- 'Pwned password cache time' from 7 to 3 days
- Improve detection of admin/automated edits for the "Enforce password complexity for admins" feature.
- Require XenForo 2.2+, drop XF2.1 support
- Actually implement cron to prune the pwned password hash cache. Old entries where already being ignored, so this will hopefully just reduce MySQL table bloat
- Fix denial of service attack by preventing too long password which can trigger factorial number of brute force password checks when using Zxcvbn
- Update new install option defaults to more recommend values:
- Enforce password complexity for admins
- Enable "Length check by default, and set the "Minimum length" to 8
- Enable "Pwned password password validation" by default