Built on the foundation laid by tommm/password-hash by Tom Moore
This MyBB plugin changes the cryptography method from salted password hashing to bcrypt (via PHP's password_hash) and disables the utterly moronic method of sending a user's first password via email.
- PHP 5.5 or later (for the
password_hashfunction)- If your host doesn't support this, then I would consider finding a new host who keeps their systems moderately updated.
Please don't install this plugin until you have considered the caveats below.
- The process is destructive; if you wish to deactivate/uninstall the plugin in the future, all users (including administrators) with converted passwords will need to request a new password through the Forgotten Password feature.
- The plugin uses PluginLibrary to perform a two edits to core files; you will need PluginLibrary 12 and for the files to be writeable to continue installation.
- !!! Whenever you upgrade MyBB 1.8, you will need to perform the same edit to inc/functions_user.php to ensure you can login to complete the process.
Upload all files and install/activate the plugin via the ACP.
By default, the plugin will convert user passwords to bcrypt the next time users login or change their password. If you would rather users choose a new password, edit ./inc/plugins/psswrd_hsh.php and set PSSWD_CONV to false.
- Converts user passwords to bcrypt automatically upon their next login
- Requires "complex" passwords
- Sets the maximum password length to 72 (after which bcrypt will just ignore additional bytes)
- Removes the "random password" activation setting
- Changes it to send the user an activation link
- This should cause no disruption to users and it avoids idiotically sending their passwords who-knows-where across the internet in plaintext.