omniauth-onetime 1.0.4 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +11 -2
- data/lib/omniauth/omniauth-onetime/version.rb +1 -1
- data/lib/omniauth/strategies/onetime.rb +3 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0e85bdc6ee5c9c9ab310e1413f99edf649bbdd81
|
|
4
|
+
data.tar.gz: 6704b9a92227d5289fba78c2237d00039f13a921
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7b71cf561ebcc9bee91dd0dc1a4afd34d034416c0651bb0aefa2974655602627a85bb29200498cb772c78995f29376658297358c2777905b7e93ff16b66b6d38
|
|
7
|
+
data.tar.gz: ef1ddba2ff02665ebf465a2a2fc9db343e6451f839cb74da05611a6cd12ef2eb3a7361b436436469486f7c66378af04323e312fa3ff35a70d46a2ae025249900
|
data/README.md
CHANGED
|
@@ -59,7 +59,7 @@ end
|
|
|
59
59
|
`config/routes.rb` file something like this:
|
|
60
60
|
|
|
61
61
|
```ruby
|
|
62
|
-
|
|
62
|
+
match '/auth/:provider/callback', to: 'sessions#create', via: [:get, :post]
|
|
63
63
|
```
|
|
64
64
|
|
|
65
65
|
`app/controllers/sessions_controller.rb` file something like this:
|
|
@@ -200,7 +200,8 @@ system using this gem. Using the default settings of an 8 letter password:
|
|
|
200
200
|
26^8 = 208,827,064,576 permutations
|
|
201
201
|
|
|
202
202
|
In order to compromise a password in 5 minutes an adversary will have to
|
|
203
|
-
hash nearly 700 million passwords per second
|
|
203
|
+
hash nearly 700 million passwords per second to ensure the password is cracked
|
|
204
|
+
within the time the password is valid.
|
|
204
205
|
|
|
205
206
|
26^8 permutations / 300 seconds = 696,090,216 hashes per second
|
|
206
207
|
|
|
@@ -217,6 +218,14 @@ A Zynq 7045 FPGA device was able to achieve
|
|
|
217
218
|
[226 hashes per second](http://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/slide-50.html "Energy-efficient bcrypt cracking, slide 50")
|
|
218
219
|
at bcrypt cost 12.
|
|
219
220
|
|
|
221
|
+
The above scenario also assumes that the attack is either not through the web
|
|
222
|
+
app itself (ie there has already been a security breach) or that the web app is
|
|
223
|
+
not a limiting factor on the number of attempts. If a web app also employed a
|
|
224
|
+
solution like [Rack::Attack](https://github.com/kickstarter/rack-attack) to
|
|
225
|
+
limit sign-in attempts to 1 per second per ip then the chance
|
|
226
|
+
of cracking a random 8 letter password is 300 (approximate attempts) in 26^8
|
|
227
|
+
(permutations) or 1 in 696,090,216.
|
|
228
|
+
|
|
220
229
|
It's probably wise to keep this in mind:
|
|
221
230
|
|
|
222
231
|
[](https://xkcd.com/538/)
|
|
@@ -142,7 +142,9 @@ module OmniAuth
|
|
|
142
142
|
def send_password(email, plaintext)
|
|
143
143
|
# break the password into groups of 4 letters for readability and
|
|
144
144
|
# usability
|
|
145
|
-
|
|
145
|
+
pw = plaintext.scan(/.{4}/).join(' ')
|
|
146
|
+
link = "#{callback_url}?email=#{email}&password=#{plaintext}"
|
|
147
|
+
body = "Enter this code: #{pw}\nOr click this link:\n#{link}"
|
|
146
148
|
ActionMailer::Base
|
|
147
149
|
.mail(options[:email_options].merge(to: email, body: body))
|
|
148
150
|
.deliver_now
|