Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Record more things on various login attempts #5344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
notbakaneko merged 13 commits into from
Nov 28, 2019
Merged

Record more things on various login attempts #5344

notbakaneko merged 13 commits into from
Nov 28, 2019

Conversation

@nanaya
Copy link
Collaborator

@nanaya nanaya commented Nov 26, 2019
edited by peppy
Loading

That was weird. Slightly lenient password match check.

notbakaneko
notbakaneko reviewed Nov 28, 2019
View reviewed changes
app/Models/LoginAttempt.php Outdated
Comment on lines 74 to 77
// The goal is just to allow vaguely matching password - for
// example when trying same password - to be excluded from being
// counted as additional attempt.
return substr(sha1('osu_unique_'.md5($password)), 8, 12);
Copy link
Collaborator

@notbakaneko notbakaneko Nov 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But vaguely matching passwords would result in completely different hashes..?

Copy link
Collaborator Author

@nanaya nanaya Nov 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as in there might be another password resulting same "hash"

Copy link
Collaborator

@notbakaneko notbakaneko Nov 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only same password and collisions would result in the same result, and the collisions won't even be from similar values since the password is being hashed? The chance of a vaguely matching password returning the same result might as well be non-existent

Copy link
Collaborator Author

@nanaya nanaya Nov 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not "vaguely matching password" but "vaguely matching" password (as in just because it matches doesn't mean it's the same) 💃

Copy link
Collaborator

@notbakaneko notbakaneko Nov 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not allowing anything then ಠ_ಠ

notbakaneko
notbakaneko requested changes Nov 28, 2019
View reviewed changes
Copy link
Collaborator

@notbakaneko notbakaneko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional for non-existent users to match the same record?

@notbakaneko notbakaneko merged commit b14ae17 into ppy:master Nov 28, 2019
@nanaya nanaya deleted the login-attempts-update branch December 25, 2019 04:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@notbakaneko notbakaneko notbakaneko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nanaya @notbakaneko @peppy