SSL Labs ScoreHSTS Preloaded

One day, while trying to remember which password I used to log into my Google account, it occurred to me that Google could easily track bad passwords and associate them to a particular user. With this information, along with the rest of what Google knows about us, they could easily gain access to other accounts and services.

So, I wrote this pair of plugins to provide this capability to Joomla administrators. Because this plugin only stores bad passwords, storing clear text passwords isn't exactly a security risk because they're known bad. When a user changes his or her password to one that is already in the stored list, that password is cleared from the list.

The list appears on the user edit screen in administrator and nowhere else. Administrators also have the option of clearing the list for individual users. Additionally, the plugin can be configured to store bad passwords for the frontend, the backend and to exclude specific groups from bad password storage.

Use is easy.

  1. Install the package.
  2. Enable both plugins.
  3. Configure the User - Log Bad Passwords plugin to set where it should run, and what group restrictions should be enabled.

This package was an experiment, to determine if it could be safely built. I wouldn't suggest running it on public sites because it may expose the passwords your users use on other sites.

Is this extension unethical? It depends on what you use it for. For a support representative on a private intranet site - this can be a very useful tool. Using this on a public site may be more questionable. I released it so everyone would know it's possible, as a warning - not so accounts can be compromised. Either way - please keep your opinions on ethics out of your review.

If you're concerned that a site might be using it, you can browse the site for /plugins/system/logbadpasswords/index.html . If the page is blank, the site uses the extension. If you receive an error - the site does not use it.


  • Configureable to ignore certain users

Download Log Bad Passwords 1.2

Bug Reports

Documentation: Online | Zipped PDF

Discuss this article in the forums (0 replies).

Paid Extension FAQ

What am I buying?
  • The extension
  • One year of updates
  • Support
Do you still support free versions?
Only bugfixes
Can I install the extension on multiple sites?
Go for it
Can I give a copy to my friend?
While this is ethically wrong, there is no easy way for me to stop it. However, if your friend wants support he should call you - because I won't talk to him unless he purchases the extension.
What happens to the extension at the end of the year?
Nothing. It remains installed and configured, it just stops receiving updates and support is suspended.
What if I give you an idea that you turn into a paid extension?
You'll be given a lifetime subscription for that extension.
What if I contract you to make a custom extension for me?
There are two options, and I may or may not offer both.
  1. You will be given a quote for outright ownership of the extension.
  2. If it's something that I believe will benefit the community, I may offer a reduced quote where I retain ownership along with the promise that it will remain a free extension.