[OzzModz] Secret Phrase Account Recovery 2.0.0

OzzModz: Secret Phrase Recovery Add-on​

A secure and bot-resistant account recovery system using a user-defined secret phrase. Ideal for recovering access when password and 2FA are lost.

---

Core Features​

Secret Phrase Setup​

• Users can enter a secret recovery phrase in their Account Details.
• Stored securely using:
  • Argon2ID hashing
  • Per-user salt using random_bytes(32) → 256-bit salt (automatically generated when user saves a secret phrase)
  • Per-user pepper, using random_bytes(16) → 128-bit pepper (automatically generated when user saves a secret phrase)

Entropy Validation​

• Secret phrase must meet minimum complexity:
  • At least 16 characters
  • At least 3 words
  • No more than 256 characters

---

Account Recovery Flow​

Recovery Page​

• Public form with:
  • Username
  • Secret phrase
  • Traps for bots

Recovery Validation​

• Validates the phrase using the user’s salt + pepper
• If correct:
  • Logs the user in automatically
  • Invalidates the secret (it becomes one-time use)
  • Clears any rate-limiting attempts
  • Logs a success message with IP and username telling them they need to create a new secret phrase

Recovery Limit Protection​

• Tracks failed attempts in a table
• Locks recovery for 15 minutes after 5 failed attempts per IP or user

---

Anti-Bot Honeypot Protection​

Bot Traps​

• User Spaminator type code to find bots
• If bot detected:
  • Blocked silently (no error message shown)
  • Logged in a ACP viewable log

Smart Logging​

• Only logs hits if the user does not have a valid secret phrase
• Stores:
  • username attempted
  • ip_address (as binary)
  • user_agent
  • field_value (e.g. what caught the bots)
  • Multiple values logged with two line breaks between them for easy viewing

---

🛠 Admin CP Log Viewer​

ACP List of Bot Trap Logs​

• Shows:
  • Username (linked if valid, which should never happen)
  • IP address (linked to WhatIsMyIPAddress)
  • Timestamp
  • User agent (wraps if long)
  • Bot traps hit

ACP List of Successful Recovery Logs​

• Shows:
  • Username (linked to user edit page in Admin CP)
  • IP address (linked to WhatIsMyIPAddress)
  • Timestamp
  • User agent (wraps if long)
• Each recovery is logged when a secret phrase is successfully used
• Helpful for auditing real access versus abuse

Admin Tools​

• “Clear log” button in top-right
• Opens a confirmation overlay
• Truncates either the honeypot or recovery log table
• Logs are paginated

---

Background Cleanup​

Cron Job​

• Cleans out old secret_phrase_attempt entries older than 24 hours

---

Bot Filtering Summary​

---

Premium Upgrade​

Upgrade to [OzzModz] Premium and unlock access to this add-on plus our entire collection for just $10.00 USD.

Your Premium status grants you unlimited downloads of all [OzzModz] add-ons for a full six months.

View the full [OzzModz] Premium collection »

---

Screenshots​

Take a look at the add-on in action. These examples showcase the Admin CP log viewer, the user-facing recovery screen, account details page, successful recovery log and how honeypot detections are logged.

---

Account Details Page (no phrase saved):

View attachment 320918

Account Details Page (phrase saved):


Login Screen:


Recovery Screen:


After using Recovery:


Successful Recovery Log (ACP, Logs, Users, Successful account recovery log):


Spam Bot Attempt Log (ACP, Logs, Spam, Secret phrase bot log):