Admin

XenForo [OzzModz] Secret Phrase Account Recovery 2.0.0

No permission to download
You don't need to like the resource to download it.
You have reached your daily download limit.
You have bypassed the message count limit.
Overview History Discussion
🔐 OzzModz: Secret Phrase Recovery Add-on

A secure and bot-resistant account recovery system using a user-defined secret phrase. Ideal for recovering access when password and 2FA are lost.

🧠 Core Features

✅ Secret Phrase Setup

Users can enter a secret recovery phrase in their Account Details.
Stored securely using:
Argon2ID hashing
Per-user salt using random_bytes(32) → 256-bit salt (automatically generated when user saves a secret phrase)
Per-user pepper, using random_bytes(16) → 128-bit pepper (automatically generated when user saves a secret phrase)
✅ Entropy Validation

Secret phrase must meet minimum complexity:
At least 16 characters
At least 3 words
No more than 256 characters

🔑 Account Recovery Flow

✅ Recovery Page

Public form with:
Username
Secret phrase
Traps for bots
✅ Recovery Validation

Validates the phrase using the user’s salt + pepper
If correct:
Logs the user in automatically
Invalidates the secret (it becomes one-time use)
Clears any rate-limiting attempts
Logs a success message with IP and username telling them they need to create a new secret phrase
✅ Recovery Limit Protection

Tracks failed attempts in a table
Locks recovery for 15 minutes after 5 failed attempts per IP or user

🤖 Anti-Bot Honeypot Protection

✅ Bot Traps

User Spaminator type code to find bots
If bot detected:
Blocked silently (no error message shown)
Logged in a ACP viewable log
✅ Smart Logging

Only logs hits if the user does not have a valid secret phrase
Stores:
username attempted
ip_address (as binary)
user_agent
field_value (e.g. what caught the bots)
Multiple values logged with two line breaks between them for easy viewing

🛠 Admin CP Log Viewer

✅ ACP List of Bot Trap Logs

Shows:
Username (linked if valid, which should never happen)
IP address (linked to WhatIsMyIPAddress)
Timestamp
User agent (wraps if long)
Bot traps hit
✅ ACP List of Successful Recovery Logs

Shows:
Username (linked to user edit page in Admin CP)
IP address (linked to WhatIsMyIPAddress)
Timestamp
User agent (wraps if long)
Each recovery is logged when a secret phrase is successfully used
Helpful for auditing real access versus abuse
✅ Admin Tools

“Clear log” button in top-right
Opens a confirmation overlay
Truncates either the honeypot or recovery log table
Logs are paginated

🧹 Background Cleanup

✅ Cron Job

Cleans out old secret_phrase_attempt entries older than 24 hours

🚫 Bot Filtering Summary

Trap Behavior
Bot traps Block silently + log
Rate limiting 5 failed attempts → 15-min lock
One-time recovery Secret is invalidated after use
Who liked
Author
Admin Hacker Icon
Downloads
0
Views
4
First release
Last update

Ratings

0.00 star(s) 0 ratings
Join the discussion

More resources from Admin

Share this resource

Back
Top