omniauth-onetime 1.0.4 → 1.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +11 -2
- data/lib/omniauth/omniauth-onetime/version.rb +1 -1
- data/lib/omniauth/strategies/onetime.rb +3 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0e85bdc6ee5c9c9ab310e1413f99edf649bbdd81
|
4
|
+
data.tar.gz: 6704b9a92227d5289fba78c2237d00039f13a921
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7b71cf561ebcc9bee91dd0dc1a4afd34d034416c0651bb0aefa2974655602627a85bb29200498cb772c78995f29376658297358c2777905b7e93ff16b66b6d38
|
7
|
+
data.tar.gz: ef1ddba2ff02665ebf465a2a2fc9db343e6451f839cb74da05611a6cd12ef2eb3a7361b436436469486f7c66378af04323e312fa3ff35a70d46a2ae025249900
|
data/README.md
CHANGED
@@ -59,7 +59,7 @@ end
|
|
59
59
|
`config/routes.rb` file something like this:
|
60
60
|
|
61
61
|
```ruby
|
62
|
-
|
62
|
+
match '/auth/:provider/callback', to: 'sessions#create', via: [:get, :post]
|
63
63
|
```
|
64
64
|
|
65
65
|
`app/controllers/sessions_controller.rb` file something like this:
|
@@ -200,7 +200,8 @@ system using this gem. Using the default settings of an 8 letter password:
|
|
200
200
|
26^8 = 208,827,064,576 permutations
|
201
201
|
|
202
202
|
In order to compromise a password in 5 minutes an adversary will have to
|
203
|
-
hash nearly 700 million passwords per second
|
203
|
+
hash nearly 700 million passwords per second to ensure the password is cracked
|
204
|
+
within the time the password is valid.
|
204
205
|
|
205
206
|
26^8 permutations / 300 seconds = 696,090,216 hashes per second
|
206
207
|
|
@@ -217,6 +218,14 @@ A Zynq 7045 FPGA device was able to achieve
|
|
217
218
|
[226 hashes per second](http://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/slide-50.html "Energy-efficient bcrypt cracking, slide 50")
|
218
219
|
at bcrypt cost 12.
|
219
220
|
|
221
|
+
The above scenario also assumes that the attack is either not through the web
|
222
|
+
app itself (ie there has already been a security breach) or that the web app is
|
223
|
+
not a limiting factor on the number of attempts. If a web app also employed a
|
224
|
+
solution like [Rack::Attack](https://github.com/kickstarter/rack-attack) to
|
225
|
+
limit sign-in attempts to 1 per second per ip then the chance
|
226
|
+
of cracking a random 8 letter password is 300 (approximate attempts) in 26^8
|
227
|
+
(permutations) or 1 in 696,090,216.
|
228
|
+
|
220
229
|
It's probably wise to keep this in mind:
|
221
230
|
|
222
231
|
[![xlcd: Security](http://imgs.xkcd.com/comics/security.png)](https://xkcd.com/538/)
|
@@ -142,7 +142,9 @@ module OmniAuth
|
|
142
142
|
def send_password(email, plaintext)
|
143
143
|
# break the password into groups of 4 letters for readability and
|
144
144
|
# usability
|
145
|
-
|
145
|
+
pw = plaintext.scan(/.{4}/).join(' ')
|
146
|
+
link = "#{callback_url}?email=#{email}&password=#{plaintext}"
|
147
|
+
body = "Enter this code: #{pw}\nOr click this link:\n#{link}"
|
146
148
|
ActionMailer::Base
|
147
149
|
.mail(options[:email_options].merge(to: email, body: body))
|
148
150
|
.deliver_now
|