Page 1 of 1

Failed logins documented with shortened passwords for safety

Posted: 2019-08-01 07:59
by onoehring
Hi,

as this idea evolved from Ahmed's Udemy course ( viewtopic.php?f=3&t=2079 ) I highly recommend anyone buying the course. It's really good.

Ahmed suggests in lesson 4.11 the reporting of failed logins. In this video/code he explains, how to write specific data to the database for the admin to see. The idea is good in my opinion, but Ahmeds also writes the full password that was used in a failed login attempt to the database. This however is a security concern, as the user might have simply mistyped a character. So a member with access to that table of failed logins might be able to guess tha password of another user.
For this reason I suggest removing the last 4 characters from the logged password. I suggest using this code in the hooks/__global.php function login_failed:

Code: Select all

$ip = $_SERVER['REMOTE_ADDR'];
$ts = date('Y-m-d H:i:s', strtotime("now"));
$pw = makeSafe($attempt['password']);
if (strlen($pw)>4){
	$pw=substr($pw, 0, -4);			
} else 
{
	$pw="";
}
$pw=$pw."****";
$details = makeSafe("User login failed. Username: {$attempt['username']}. Password (last 4 characters removed): $pw");
sql("INSERT INTO logs set ipaddr='{$ip}', time_stmp='{$ts}', details='{$details}'", $eo);	
PS: Another change in my code compared to Ahmeds is, that I am writing the timestamp in a human readable form to the database.
Comments? Suggestions?

Olaf