![[HSX] HeadShot Xtreme is officially recognized by the Central Outpost as a genuine gaming organization.](https://www.headshotdomain.net/files/coRpSE/cnopseal_X74-MEW1.png "[HSX] HeadShot Xtreme is officially recognized by the Central Outpost as a genuine gaming organization.")
Update:
I have officially released the script. It's very simple to add to your site, only 3 files to edit and 2 files to upload. I did make the banner responsive just in case of those themes that may be responsive.
Can be downloaded from here:
** NOTE **
If you want to use this script, you will need to have the following installed:
If you have the Evo Shout already installed on your site, then you already have them installed.
UPDATE #2
Here is a video about it:
Over the past decade, we've seen a massive rise in data breaches, exposing millions of passwords dumped online from services people trusted. It's easy to forget that once a password is exposed, it's no longer safe to use, even if the original site patched things up. Hackers compile these leaks into huge databases and use automated tools to break into accounts elsewhere, banking on the fact that a lot of people reuse passwords.
I decided to create a little breach warning bar that is a proactive way to alert your users that their current password has already been spotted in known data breaches. It's not based on guesswork. It uses real-world leak data. It’s subtle, non-intrusive, and doesn’t get in the way. But it also sends a strong message: we take your security seriously, and we’re not waiting for something bad to happen before we act. It encourages users to update their credentials and stay safe, which helps protect your site too by reducing the risk of account takeovers.
How it works:
The way it works is when you log into the site, your password gets quickly and securely checked against a huge database of passwords, (have i been pwned database), that have been leaked or stolen in past data breaches. But don’t worry, your actual password isn’t sent anywhere. Instead, a scrambled, unreadable version of it (called a “hash”) is used where the check is done securely on the server. Your full password never leaves the server, and only a piece of the hashed version is used to check against known breaches. That way, your real password stays private and safe the whole time.
The system then looks through the known list of compromised passwords using part of that hash, kind of like checking the first few letters of a word in a dictionary. If there’s a match, that means your password has shown up in a past breach somewhere. If it has, the site shows you a small warning at the top of the screen suggesting that you change it. That’s all—it doesn’t block you or lock you out, it just lets you know there could be a risk.
And to make sure it’s not annoying, you can close that warning bar yourself, and it won’t keep popping up every time. It’s just a little nudge to stay safe, especially with how common password leaks have become. You don’t need to do anything special, it’s all automatic and built in to help protect your account.
Here is a short animation of it working on my test site:
Is this something you guys would like me to release, or maybe have put in by default?
I have officially released the script. It's very simple to add to your site, only 3 files to edit and 2 files to upload. I did make the banner responsive just in case of those themes that may be responsive.
Can be downloaded from here:
| Please login to see this link Get registered or Log in |
** NOTE **
If you want to use this script, you will need to have the following installed:
| Please login to see this link Get registered or Log in |
| Please login to see this link Get registered or Log in |
If you have the Evo Shout already installed on your site, then you already have them installed.
UPDATE #2
Here is a video about it:
| Please login to see this link Get registered or Log in |
Over the past decade, we've seen a massive rise in data breaches, exposing millions of passwords dumped online from services people trusted. It's easy to forget that once a password is exposed, it's no longer safe to use, even if the original site patched things up. Hackers compile these leaks into huge databases and use automated tools to break into accounts elsewhere, banking on the fact that a lot of people reuse passwords.
I decided to create a little breach warning bar that is a proactive way to alert your users that their current password has already been spotted in known data breaches. It's not based on guesswork. It uses real-world leak data. It’s subtle, non-intrusive, and doesn’t get in the way. But it also sends a strong message: we take your security seriously, and we’re not waiting for something bad to happen before we act. It encourages users to update their credentials and stay safe, which helps protect your site too by reducing the risk of account takeovers.
How it works:
The way it works is when you log into the site, your password gets quickly and securely checked against a huge database of passwords, (have i been pwned database), that have been leaked or stolen in past data breaches. But don’t worry, your actual password isn’t sent anywhere. Instead, a scrambled, unreadable version of it (called a “hash”) is used where the check is done securely on the server. Your full password never leaves the server, and only a piece of the hashed version is used to check against known breaches. That way, your real password stays private and safe the whole time.
The system then looks through the known list of compromised passwords using part of that hash, kind of like checking the first few letters of a word in a dictionary. If there’s a match, that means your password has shown up in a past breach somewhere. If it has, the site shows you a small warning at the top of the screen suggesting that you change it. That’s all—it doesn’t block you or lock you out, it just lets you know there could be a risk.
And to make sure it’s not annoying, you can close that warning bar yourself, and it won’t keep popping up every time. It’s just a little nudge to stay safe, especially with how common password leaks have become. You don’t need to do anything special, it’s all automatic and built in to help protect your account.
Here is a short animation of it working on my test site:
Is this something you guys would like me to release, or maybe have put in by default?
Last edited by coRpSE on Sun May 18, 2025 11:52 am; edited 5 times in total
Okay, Update. I put the script on this site to test. If your password has been found in a DB breach, you will see a message at the top. If you like to have this script on your site, It's very easy to install and no DB tables. It requires 2 files to be edited and 3 files to be edited with 1 edit each file, and it includes 1 file.
I've updated my first post. I have released this script for anyone that like to add it to their site for added security for their users.
Okay, there has been some confusion on how this script works, so, I am going to make a video explaining it in a way that will make it easier to follow. There have been some concerns, and I am okay with that, this video will eliminate your concerns I hope.
I updated my first post with the video and a link to the demo that I show in the video.
Interesting idea - and kudos on a great enhancement. Have you considered other approaches like multi-factor authentication? Before TOTP was a thing, one of the best enhancements we made to NukeSentinel was to enable HTTPauth (admin authentication) on the Nuke admin file. This was really effective at blocking attacks and essentially the same as 2FA, but with a second login instead of a dynamic code.
kguske I have actually started looking at implementing a 2factor a couple of years ago, and that is how I found the big security issue with all version of nuke. (I just installed the latest RN on my local to get the fix out there). But at the same time, that lead me to write the changes to the cookies to help protect against XSS attacks, then that lead me to writing the CSRF token protection.
I talk about those here:
It seems like every time I go to start working on it, or at least really take a good look at it, something pulls me away from it. But I have looked at a few ways of implementing TOTP with a QR creator, but that is as far as I got. I think I will be able to get to it soon. I just like to finish up the analytics scripts I am working on and I add a bit more to my StrikeTracker script to help protect from sql injection protection. I do notice most of it is just bots testing the waters, but, every little bit helps.
I do remember my first RN site I had back in 05/06, the first time I set up the HTTPauth, for the life of me, I could never remeber the password I set for my self on that.
I talk about those here:
| Please login to see this link Get registered or Log in |
| Please login to see this link Get registered or Log in |
It seems like every time I go to start working on it, or at least really take a good look at it, something pulls me away from it. But I have looked at a few ways of implementing TOTP with a QR creator, but that is as far as I got. I think I will be able to get to it soon. I just like to finish up the analytics scripts I am working on and I add a bit more to my StrikeTracker script to help protect from sql injection protection. I do notice most of it is just bots testing the waters, but, every little bit helps.
I do remember my first RN site I had back in 05/06, the first time I set up the HTTPauth, for the life of me, I could never remeber the password I set for my self on that.