Failed logins documented with shortened passwords for safety

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Failed logins documented with shortened passwords for safety

Post by onoehring » 2019-08-01 07:59

Hi,

as this idea evolved from Ahmed's Udemy course ( viewtopic.php?f=3&t=2079 ) I highly recommend anyone buying the course. It's really good.

Ahmed suggests in lesson 4.11 the reporting of failed logins. In this video/code he explains, how to write specific data to the database for the admin to see. The idea is good in my opinion, but Ahmeds also writes the full password that was used in a failed login attempt to the database. This however is a security concern, as the user might have simply mistyped a character. So a member with access to that table of failed logins might be able to guess tha password of another user.
For this reason I suggest removing the last 4 characters from the logged password. I suggest using this code in the hooks/__global.php function login_failed:

Code: Select all

$ip = $_SERVER['REMOTE_ADDR'];
$ts = date('Y-m-d H:i:s', strtotime("now"));
$pw = makeSafe($attempt['password']);
if (strlen($pw)>4){
	$pw=substr($pw, 0, -4);			
} else 
{
	$pw="";
}
$pw=$pw."****";
$details = makeSafe("User login failed. Username: {$attempt['username']}. Password (last 4 characters removed): $pw");
sql("INSERT INTO logs set ipaddr='{$ip}', time_stmp='{$ts}', details='{$details}'", $eo);	
PS: Another change in my code compared to Ahmeds is, that I am writing the timestamp in a human readable form to the database.
Comments? Suggestions?

Olaf

Post Reply