Failed logins documented with shortened passwords for safety

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
AppGini Super Hero
AppGini Super Hero
Posts: 541
Joined: 2019-05-21 22:42

Failed logins documented with shortened passwords for safety

Post by onoehring » 2019-08-01 07:59


as this idea evolved from Ahmed's Udemy course ( viewtopic.php?f=3&t=2079 ) I highly recommend anyone buying the course. It's really good.

Ahmed suggests in lesson 4.11 the reporting of failed logins. In this video/code he explains, how to write specific data to the database for the admin to see. The idea is good in my opinion, but Ahmeds also writes the full password that was used in a failed login attempt to the database. This however is a security concern, as the user might have simply mistyped a character. So a member with access to that table of failed logins might be able to guess tha password of another user.
For this reason I suggest removing the last 4 characters from the logged password. I suggest using this code in the hooks/__global.php function login_failed:

Code: Select all

$ts = date('Y-m-d H:i:s', strtotime("now"));
$pw = makeSafe($attempt['password']);
if (strlen($pw)>4){
	$pw=substr($pw, 0, -4);			
} else 
$details = makeSafe("User login failed. Username: {$attempt['username']}. Password (last 4 characters removed): $pw");
sql("INSERT INTO logs set ipaddr='{$ip}', time_stmp='{$ts}', details='{$details}'", $eo);	
PS: Another change in my code compared to Ahmeds is, that I am writing the timestamp in a human readable form to the database.
Comments? Suggestions?

Some postings I was involved, you might find useful:
Backup your database (viewtopic.php?f=4&t=3341); Improve security (viewtopic.php?f=4&t=3168); Field Permissions (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add 2nd SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104); Place a search on details view (viewtopic.php?f=2&t=3479&p=12484#p12484); Column-Value-Based-Permissions (viewtopic.php?f=4&t=3498)

Post Reply