1

I want to create a function which will alert a user if there is a multiple brute force attempt on an account. The function will alert the user if there is more than 75% string match. I have performed this: 

function Password_Match ($String, $Stored_Password){
    $New_String = str_split($String);
    $New_Stored_Password = str_split($Stored_Password);
        $Match = 0;
    foreach ($New_String AS $Value){
        if (in_array($Value,$New_Stored_Password)){
            $Match++;
        }
    }
    return $Match;

}

$String = "Test";
$Pass = "Tesst";
echo Password_Match($String,$Pass);

This returns 4, but there is obviously a flaw within my code that I can't figure out a solution. Assitance would be brilliant.

Pekka
  • 418,526
  • 129
  • 929
  • 1,058
Sophie Mackeral
  • 867
  • 4
  • 10
  • 21
  • You are talking about "string match" as if there were a universal definition for it. – Jon Jun 22 '13 at 14:22
  • [php similar-text](http://php.net/manual/en/function.similar-text.php) – amigura Jun 22 '13 at 14:23
  • This function simply determines whether the characters of one string are present in another string. However, it doesn’t care neither about the position nor about repetitions. So `aaaaaa` and `abcdef` is said to have 6 matches as each `a` in `aaaaaa` is present in `abcdef`. – Gumbo Jun 22 '13 at 14:49

3 Answers3

6

You shouldn't be doing this in the first place.

Brute force attacks should simply be prevented by imposing hourly / daily limits on failed attempts. What does the user care how close the hackers were to guessing the password?

Also, much more importantly, you shouldn't be storing the user's password in clear text in the first place. That's a far more serious security problem than you can make up by telling the user about cracking attempts.

See these questions for some in-depth discussion on how to properly store passwords:

Community
  • 1
  • 1
Pekka
  • 418,526
  • 129
  • 929
  • 1,058
  • 1
    -1 for putting a comment as an answer but +1 for pointing out the obvious "you shouldn't be storing the user's password stored in clear text " – Popnoodles Jun 22 '13 at 14:26
  • yes i agree @popnoodles. i do like comment by OP "there is obviously a flaw within my code" – amigura Jun 22 '13 at 14:36
1

What your trying to do is measure edit distance between two strings. PHP has a built in function to accomplish this.

int levenshtein ( string $str1 , string $str2 )

to wrap up the answer 

$x = levenshtein ($str1 ,$str2);

$ratio = $x / strlen($str1); //or 2 

if ($ratio > 0.75) { //case match } 
else { //case miss match}
DevZer0
  • 13,069
  • 5
  • 24
  • 48
0

Passwords should be encrypted using a one way encryption, they should not be stored in the database as plain text. BUT if you really want to approach this way.. Try something like this: 

function Password_Match ($String, $Stored_Password){
    similar_text($String,$Stored_Password,$Percentage);
    if ($Percentage > 75){
        return true;
    }
    return false;
}
Daryl Gill
  • 5,238
  • 7
  • 31
  • 68