prepare("SELECT 1 FROM users WHERE username = :username;"); $stmt->bindParam(":username", $username); // Execute the statement $stmt->execute(); // Fetch the values $result = $stmt->fetch(PDO::FETCH_ASSOC); // If the user is already in the database, or is using a forbidden name // set errors, old values, and return. if($result || strtolower($username) == "[deleted]" || strtolower($username) == "[guest]" || strtolower($username) == "zdenek") { $usernameErr = "This username is not available"; $usernameOld = $username; $passwordOld = $password; $passwordConfOld = $passwordConf; return false; } // Hash the password before inserting $password = password_hash($password, PASSWORD_DEFAULT); // Insert the user into database and print a success message. $stmt = $conn->prepare("INSERT INTO users (username, password) VALUES (:username, :password);"); $stmt->bindParam(":username", $username); $stmt->bindParam(":password", $password); // Execute the statement $stmt->execute(); return true; } display_header("Register"); /** * If user sent the form, process it. This starts a session. * Either login user and redirect to index or set error message variables. */ if (isset($_POST["submit"])) { // Attempt to register $registerResult = attempt_register($conn, $_POST["username"], $_POST["password"], $_POST["password_conf"]); // If registration was succesful, display message, footer and die. if($registerResult) { printf("

Registration succesful!

You can now continue to Login.
"); include($_SERVER["DOCUMENT_ROOT"]."/../common/footer.php"); die(); } } ?>
">

Register:


Average time needed to crack a password with 12 RTX 4090 graphics cards by length (source, image):
6 12 hours 10 33k years 14 805bn years
7 1 month 11 2m years 15 56tn years
8 7 years 12 164m years 16 3qd years
9 479 years 13 11bn years 17 276qd years

Note that these values assume that the attacker has access to a database of hashed password, and is trying to log into as many accounts as possible, so not really applicable for someone trying to get into specifically your account and guessing the passwords, but I believe it might still be a good wake-up call for people who believe 6 or 8 characters are a "strong" password.

In case you do not read the linked article (which you should!... if this interests you, that is. The site has a really shitty, anti-user design, but the info is a good introduction to the topic) also note that I took those values from the column assuming combination of capitalised and non-capitalised letters, numbers and special symbols.


I recommend storing your login credentials safely on a piece of paper in a locked book/drawer, or in an offline (or, if you need syncing, hosted on-prem), encrypted FOSS password database (I recommend KeePassXC). I would strongly advise against reusing the same password and remembering it, or entrusting it to some tech giant like mozilla, google, lastpass or whoever else might be trying to convince you to store your passwords in their cloud.

Important thing to remember if you are trying to protect against a directed attack is to keep the length of you password randomized as well, If I were an attacker, and you revealed to me that you use 12 character password on my site, I am most likely going try that very password an all the sites where I want to compromise you, and then prioritize other 12 character passwords. By having your password length random for each site (in a range you determine as safe, obviously), you minimize this risk.