has_unpublished_password 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ccd1bd39bcceaea24cb767e8378b0a2a95590a8f3639585cb571072ec3d7d40b
|
|
4
|
+
data.tar.gz: 71170d7d08eeb3452a39970216f2188ee5e68ae883db8b3a6dee80387161c635
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b615eb2ad57cb7678ba7ae60e4d1d7f6dfd1df8de58e01e4387bf34293d91721d4384029489098b065a9a61f6b9c3ea717a094dd550bbe37e9f37d9e995e70ea
|
|
7
|
+
data.tar.gz: 931357de56d6cbbc8b3e0e8eb36ad69790d5d1db108ce0d4dbd63ceee13dea757ad1b929ad5992242800661208957e8cb4a40de5f423ebab9a694e007a474f74
|
data/README.md
CHANGED
|
@@ -2,23 +2,24 @@
|
|
|
2
2
|
|
|
3
3
|
## What is it?
|
|
4
4
|
|
|
5
|
-
This is a gem which performs offline checks against the [HIBP](https://haveibeenpwned.com/) master list.
|
|
5
|
+
This is a gem which performs offline checks against the [HIBP](https://haveibeenpwned.com/) master list (well, the top 11,000,000 passwords in it).
|
|
6
6
|
|
|
7
7
|
It can be used to ensure that your users are not using credentials which have previously been leaked.
|
|
8
8
|
|
|
9
|
-
The checks are performed using a pre-built
|
|
9
|
+
The checks are performed using a pre-built bloom filter.
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
### Why not the full list?
|
|
12
|
+
There's a tradeoff to be made between the false positive rate, the number of passwords checked, and the amount of disk/network bandwidth used.
|
|
13
|
+
|
|
14
|
+
The full list is ~11gb compressed, and the smallest bloom filter that'll get an acceptable false positive rate on the full list is ~1gb. This gem is 32mb.
|
|
12
15
|
|
|
13
|
-
|
|
16
|
+
## Status
|
|
14
17
|
|
|
15
|
-
|
|
18
|
+
In use in production on a fairly large site (https://radiopaedia.org).
|
|
16
19
|
|
|
17
|
-
|
|
18
|
-
* The 'top 5600k passwords' filter is 9.6mb, with a 2.1% false positive rate. Uses 8mb ram once loaded.
|
|
19
|
-
* The 'top 56m passwords' filter is 80mb, with a 2.6% false positive rate. Uses 67mb ram once loaded.
|
|
20
|
+
The released version of this gem includes ~30mb of bloom filter containing the top 11,200,000 most-leaked passwords according to HIBP.
|
|
20
21
|
|
|
21
|
-
|
|
22
|
+
Checking set membership is *fast*, and the false positive rate is about 0.001%.
|
|
22
23
|
|
|
23
24
|
## Installation
|
|
24
25
|
|
|
@@ -26,7 +27,6 @@ Add this line to your application's Gemfile:
|
|
|
26
27
|
|
|
27
28
|
```ruby
|
|
28
29
|
gem 'has_unpublished_password'
|
|
29
|
-
gem 'hibp-cuckoo-filter' # optional data files, if you don't want to build your own.
|
|
30
30
|
```
|
|
31
31
|
|
|
32
32
|
And then execute:
|
|
@@ -39,53 +39,20 @@ Or install it yourself as:
|
|
|
39
39
|
|
|
40
40
|
## Usage
|
|
41
41
|
|
|
42
|
-
### Configuration
|
|
43
|
-
|
|
44
|
-
Add an initializer (eg `config/initializers/has_unpublished_password.rb`):
|
|
45
|
-
|
|
46
|
-
HasUnpublishedPassword.configure do |config|
|
|
47
|
-
# Valid values: :small, :medium, :large
|
|
48
|
-
config.filter = :large
|
|
49
|
-
end
|
|
50
|
-
|
|
51
|
-
|
|
52
42
|
### Validation
|
|
53
43
|
|
|
54
44
|
`validates :password, never_leaked_to_hibp: true`
|
|
55
45
|
|
|
56
|
-
### Low level usage
|
|
57
|
-
```
|
|
58
|
-
filter = HasUnpublishedPassword.import('serialized.json.gz')
|
|
59
|
-
filter.has? Digest::SHA1.hexdigest('password') # true
|
|
60
|
-
```
|
|
61
|
-
|
|
62
46
|
## Development
|
|
63
47
|
|
|
64
|
-
### Native component
|
|
65
|
-
|
|
66
|
-
The [native component](https://github.com/DanielHeath/rust-cuckoofilter) is written in rust.
|
|
67
|
-
|
|
68
|
-
To update it to a new version, cross compile it in release mode, then:
|
|
69
|
-
```
|
|
70
|
-
cd ../rust-cuckoofilter/cabi
|
|
71
|
-
|
|
72
|
-
cargo build --target=x86_64-unknown-linux-gnu --release
|
|
73
|
-
cp target/release/libcuckoofilter_cabi.d ../../has_unpublished_password/nativeext/x86_64/
|
|
74
|
-
|
|
75
|
-
cargo build --target=x86_64-apple-darwin --release
|
|
76
|
-
cp target/release/libcuckoofilter_cabi.dylib ../../has_unpublished_password/nativeext/x86_64/
|
|
77
|
-
```
|
|
78
|
-
|
|
79
48
|
### Building the filter
|
|
80
49
|
|
|
81
50
|
First, download the master list from HIBP (I used the 'ordered by frequency' list) and decompress it.
|
|
82
51
|
|
|
83
|
-
Then, run `data/prepare.
|
|
52
|
+
Then, run `bundle exec data/prepare-and-validate.rb <path-to-master-list-file>`.
|
|
84
53
|
|
|
85
54
|
This takes quite awhile; it'll print how many lines it's completed periodically.
|
|
86
55
|
|
|
87
|
-
This process writes its result to `serialized.json.gz` when complete.
|
|
88
|
-
|
|
89
56
|
## Contributing
|
|
90
57
|
|
|
91
58
|
Bug reports and pull requests are welcome on GitHub at https://github.com/danielheath/has_unpublished_password. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
|
@@ -98,16 +65,3 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
98
65
|
|
|
99
66
|
Everyone interacting in the HasUnpublishedPassword project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/has_unpublished_password/blob/master/CODE_OF_CONDUCT.md).
|
|
100
67
|
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
24 bits is 2mb. 1/3rd of values will be filled by 5 million rows.
|
|
112
|
-
|
|
113
|
-
take 6 24-bit sequences (for 12mb). That yields a 0.13% collision chance. That's promising.
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
class NeverLeakedToHibpValidator < ActiveModel::EachValidator
|
|
4
4
|
def validate_each(record, attribute, value)
|
|
5
|
+
return unless value
|
|
5
6
|
if HasUnpublishedPassword.has_been_published? value
|
|
6
7
|
record.errors[attribute] << (options[:message] || "That's one of the first passwords a hacker would try.")
|
|
7
8
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: has_unpublished_password
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Daniel Heath
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-06-
|
|
11
|
+
date: 2019-06-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|