From 081b26af6064f48af590a166a12925b5e2f16cdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zden=C4=9Bk=20Borovec?=
+ Average time needed to crack a password with 12 RTX 4090 graphics cards
+ by length (source,
+ image):
+
+ Note that these values assume that the attacker has access to a
+ database of hashed password, and is trying to log into as many
+ accounts as possible, so not really applicable for someone trying to
+ get into specifically your account and guessing the passwords,
+ but I believe it might still be a good wake-up call for people who
+ believe 6 or 8 characters are a "strong" password.
+
+ In case you do not read the linked article (which you should!...
+ if this interests you, that is. The site has a really shitty,
+ anti-user design, but the info is a good introduction to the topic)
+ also note that I took those values from the column assuming
+ combination of capitalised and non-capitalised letters,
+ numbers and special symbols.
+
You can learn more about what they mean in the
@@ -68,10 +67,6 @@ display_header("About");
username
This is the username the user chose at registration.
- Failed DB connection, cannot proceed!
+ If you see this error in production,
+ please shoot me an email with helpful details.
+ ");
+ include_once($GLOBALS['COMMONS']."/footer.php");
+ die();
+ }
+
+ // Sanitize inputs
+ $username = sanitize_input($username);
+ $password = sanitize_input($password);
+ $passwordConf = sanitize_input($passwordConf);
+
+ // Check if both mandatory fields are filled, if not, set appropriate error messages.
+ if (empty($username))
+ $usernameErr = "Please enter your username.";
+ if (empty($password))
+ $passwordErr = "Please enter your password.";
+ if($password != $passwordConf)
+ $passwordErr = "Password and confirmation are different.";
+
+ // If either of the fields were empty,
+ // set old values for prefill and return.
+ if(!empty($usernameErr) || !empty($passwordErr)) {
+ $usernameOld = $username;
+ $passwordOld = $password;
+ $passwordConfOld = $passwordConf;
+ return;
+ }
+
+ // See if a user with this name is already registered
+ $stmt = $conn->prepare("SELECT 1 FROM users WHERE username = :username;");
+ $stmt->bindParam(":username", $username);
+
+ // Execute the statement
+ $stmt->execute();
+
+ // Fetch the values
+ $result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+ // If the user is already in the database, or is using a forbidden name
+ // set errors, old values, and return.
+ if($result || strtolower($username) == "[deleted]" ||
+ strtolower($username) == "[guest]" ||
+ strtolower($username) == "zeftax") {
+ $usernameErr = "This username is not available";
+ $usernameOld = $username;
+ $passwordOld = $password;
+ $passwordConfOld = $passwordConf;
+ return;
+ }
+
+ // Hash the password before inserting
+ $password = password_hash($password, PASSWORD_DEFAULT);
+
+ // Insert the user into database and print a success message.
+ $stmt = $conn->prepare("INSERT INTO users (username, password)
+ VALUES (:username, :password);");
+ $stmt->bindParam(":username", $username);
+ $stmt->bindParam(":password", $password);
+
+ // Execute the statement
+ $stmt->execute();
+ printf("Registration succesful!
+ You can now continue to
+ Login.
+
+
+
+
+
+ 6
+ 12 hours
+
+ 10
+ 33k years
+
+ 14
+ 805bn years
+
+
+ 7
+ 1 month
+
+ 11
+ 2m years
+
+ 15
+ 56tn years
+
+
+ 8
+ 7 years
+
+ 12
+ 164m years
+
+ 16
+ 3qd years
+
+
+ 9
+ 479 years
+
+ 13
+ 11bn years
+
+ 17
+ 276qd years
+
+ I recommend storing your login credentials safely on a piece of paper in a + locked book/drawer, or in an offline (or, if you need syncing, hosted + on-prem), encrypted FOSS password database (I recommend + KeePassXC). I would strongly advise + against reusing the same password and remembering it, or entrusting it + to some tech giant like mozilla, google, lastpass or whoever else + might be trying to convince you to store your passwords in their cloud. +
++ Important thing to remember if you are trying to protect against a + directed attack is to keep the length of you password randomized + as well, If I were an attacker, and you revealed to me that you use 12 + character password on my site, I am most likely going try that very + password an all the sites where I want to compromise you, and then + prioritize other 12 character passwords. By having your password length + random for each site (in a range you determine as safe, obviously), + you minimize this risk. +
+ + +