diff --git a/docs/common/utils.php b/docs/common/utils.php index 7b6908d..5917e27 100644 --- a/docs/common/utils.php +++ b/docs/common/utils.php @@ -7,16 +7,14 @@ class User { public $user_id; public $user_name; - public $email; public $permissions; /** * Constructor for the User. */ - public function __construct($userId, $username, $email, $permissions) { + public function __construct($userId, $username, $permissions) { $this->user_id = $userId; $this->user_name = $username; - $this->email = $email; $this->permissions = $permissions; } } diff --git a/docs/www/login.php b/docs/www/login.php index ed5f190..961b48f 100644 --- a/docs/www/login.php +++ b/docs/www/login.php @@ -18,7 +18,6 @@ function attempt_login($conn, $username, $password) { global $passwordOld; global $usernameErr; global $passwordErr; - global $conn; // Check DB connection if($conn == null){ @@ -38,9 +37,9 @@ function attempt_login($conn, $username, $password) { // Check if both fields are filled, if not, set appropriate error messages. if (empty($username)) - $usernameErr = "Please enter your email"; + $usernameErr = "Please enter your username."; if (empty($password)) - $passwordErr = "Please enter your password"; + $passwordErr = "Please enter your password."; // If either of the fields were empty, // set old values for prefill and return. @@ -51,7 +50,7 @@ function attempt_login($conn, $username, $password) { } // Prepare and bind the sql statement - $stmt = $conn->prepare("SELECT user_id, email, password, + $stmt = $conn->prepare("SELECT user_id, password, created_at, permissions FROM users WHERE username = :username;"); $stmt->bindParam(":username", $username); @@ -72,7 +71,6 @@ function attempt_login($conn, $username, $password) { // Load results to variables $db_id = $result["user_id"]; - $db_email = $result["email"]; $db_password = $result["password"]; $db_permissions = $result["permissions"]; @@ -88,8 +86,7 @@ function attempt_login($conn, $username, $password) { } // Set the session logged in user. - $_SESSION["current_user"] = new User($db_id, $username, - $db_email, $db_permissions); + $_SESSION["current_user"] = new User($db_id, $username, $db_permissions); } /** diff --git a/docs/www/privacy.php b/docs/www/privacy.php index 3f45759..7c50a35 100644 --- a/docs/www/privacy.php +++ b/docs/www/privacy.php @@ -46,7 +46,6 @@ display_header("About");
+ Average time needed to crack a password with 12 RTX 4090 graphics cards + by length (source, + image): +
6 | +12 hours | ++ | 10 | +33k years | ++ | 14 | +805bn years | +
7 | +1 month | ++ | 11 | +2m years | ++ | 15 | +56tn years | +
8 | +7 years | ++ | 12 | +164m years | ++ | 16 | +3qd years | +
9 | +479 years | ++ | 13 | +11bn years | ++ | 17 | +276qd years | +
+ Note that these values assume that the attacker has access to a + database of hashed password, and is trying to log into as many + accounts as possible, so not really applicable for someone trying to + get into specifically your account and guessing the passwords, + but I believe it might still be a good wake-up call for people who + believe 6 or 8 characters are a "strong" password. +
++ In case you do not read the linked article (which you should!... + if this interests you, that is. The site has a really shitty, + anti-user design, but the info is a good introduction to the topic) + also note that I took those values from the column assuming + combination of capitalised and non-capitalised letters, + numbers and special symbols. +
+ ++ I recommend storing your login credentials safely on a piece of paper in a + locked book/drawer, or in an offline (or, if you need syncing, hosted + on-prem), encrypted FOSS password database (I recommend + KeePassXC). I would strongly advise + against reusing the same password and remembering it, or entrusting it + to some tech giant like mozilla, google, lastpass or whoever else + might be trying to convince you to store your passwords in their cloud. +
++ Important thing to remember if you are trying to protect against a + directed attack is to keep the length of you password randomized + as well, If I were an attacker, and you revealed to me that you use 12 + character password on my site, I am most likely going try that very + password an all the sites where I want to compromise you, and then + prioritize other 12 character passwords. By having your password length + random for each site (in a range you determine as safe, obviously), + you minimize this risk. +
+