Discover a unique security tool for Joomla with "User - Log Bad Passwords," a reimagined plugin designed to help administrators track and manage weak or previously failed password attempts. Originally released as a package of two plugins for earlier Joomla versions, this re-release consolidates that functionality into a single, streamlined plugin—simplifying installation while retaining the same powerful features.
How It Works
Inspired by a personal revelation about password tracking, I created this plugin to empower Joomla administrators with insights by creating an extension to log bad passwords, mirroring capabilities like those Google might use. When users enter incorrect passwords, "User - Log Bad Passwords" logs them—storing only failed attempts in clear text (not a security risk since they’re known bad passwords) when that user makes a successful login attempt. If a user later adopts a logged bad password, it’s automatically cleared from the list, ensuring continuous protection.
The log appears exclusively on the user edit screen in the Joomla administrator backend, nowhere else, giving admins full control. You can configure the plugin to track bad passwords for frontend logins, backend logins, or exclude specific user groups, tailoring its scope to your needs. Installation and setup are straightforward: install the single plugin, then configure where it runs and which groups to exclude.
v5.0.0
P
Ethical Considerations and Use Cases
Is this plugin unethical? That depends on its application. For a support representative on a private intranet site, it’s a valuable tool for identifying weak passwords and improving security. However, using it on public-facing sites raises ethical questions, as it could expose passwords users might reuse elsewhere. I released it as a warning, not an invitation to compromise accounts—please keep ethical opinions out of reviews, as I’m simply highlighting a possibility. If you’re concerned a site uses this plugin, check for /plugins/user/logbadpasswords/logbadpasswords.xml; if you see XML, it’s installed.
Why Choose User - Log Bad Passwords?
This plugin isn’t for every site, but for controlled environments like private intranets, it’s a game-changer. It’s an experiment in secure password monitoring, built with care, and now simpler than ever with its single-plugin re-release. Use it responsibly to enhance security, but weigh the risks carefully for public sites.
Features
- Streamlined Single Plugin: Combines previous dual-plugin functionality into one installer for easier use.
- Bad Password Logging: Tracks failed password attempts, clearing them if reused, visible only in the admin user edit screen.
- Flexible Configuration: Set to monitor frontend, backend, or exclude specific user groups.
- Ethical Awareness: Designed for controlled, private use—exercise caution on public sites.
Are you looking for the Joomla 3 version? You can find it here: Log Bad Passwords for Joomla 3
Download the Plugin
User - Log Bad Passwords 5.0.02817
Frequently Asked Questions:
What is the "User - Log Bad Passwords" plugin?
It’s a Joomla plugin designed to help administrators track and log failed password attempts by users. It consolidates features from an earlier dual-plugin package into a single, streamlined plugin, making it easier to install and use while enhancing security monitoring in controlled environments.
How does the plugin work?
When a user enters an incorrect password, the plugin logs it in clear text as a "bad password." These logs are stored only for failed attempts and are cleared if the user later adopts one of those passwords successfully. The log is visible exclusively on the user edit screen in the Joomla administrator backend.
Where can I see the logged bad passwords?
The logged bad passwords appear only in the Joomla administrator backend, specifically on the user edit screen for the relevant user. They are not displayed anywhere else in the system.
Is it safe to store failed passwords in clear text?
Yes, it’s not a security risk because only failed password attempts are logged—passwords that are already known to be incorrect. Successful passwords are never stored, and if a previously failed password becomes a user’s new password, it’s automatically removed from the log.
Can I customize how the plugin tracks passwords?
Yes, the plugin is flexible. You can configure it to monitor failed password attempts for frontend logins, backend logins, or both. You can also exclude specific user groups from being tracked, tailoring it to your site’s needs.
How do I install and set up the plugin?
Installation is simple: download the single plugin file, install it via Joomla’s extension manager, and then configure it in the plugin settings. You can specify where it runs (frontend, backend, or both) and which user groups to exclude.
Is this plugin ethical to use?
It depends on the context. In private, controlled environments like an intranet, it’s a useful tool for improving security by identifying weak passwords. On public-facing sites, however, it could raise ethical concerns if users reuse passwords elsewhere, as it logs failed attempts. The developer encourages responsible use and warns against compromising user trust.
How can I tell if a Joomla site is using this plugin?
You can check for the plugin’s presence by looking for the file /plugins/user/logbadpasswords/logbadpasswords.xml in the site’s directory. If this XML file exists, the plugin is installed.
What are the main use cases for this plugin?
It’s ideal for private intranets or controlled Joomla environments where administrators want to monitor and improve password security. For example, a support representative could use it to identify users with consistently weak password choices and provide guidance.
Why was the plugin re-released as a single plugin?
The original version came as a package of two plugins, but the re-release combines all functionality into one installer. This simplifies the setup process while retaining the same powerful features, making it more user-friendly.
Should I use this plugin on a public website?
The developer advises caution when using it on public sites due to potential ethical concerns. It’s best suited for private or controlled environments where security monitoring outweighs privacy risks.
What happens if a user reuses a previously failed password?
If a user successfully sets a password that was previously logged as a failed attempt, the plugin automatically clears that password from the bad password log, ensuring the list remains relevant and secure.
Is there a version for Joomla 3?
Yes, if you need the plugin for Joomla 3, you can find it at the link provided in the article: Log Bad Passwords for Joomla 3.
What makes this plugin different from other security tools?
Unlike many security tools that focus on blocking attacks or encrypting data, this plugin proactively logs failed password attempts to help admins understand user behavior and strengthen security policies. Its unique focus is on insight rather than prevention alone.
Who should avoid using this plugin?
Administrators of public-facing Joomla sites with diverse users should weigh the risks carefully, as logging failed passwords could inadvertently expose patterns that users repeat on other platforms. It’s not recommended for sites where privacy is a higher priority than security monitoring.