search

hashview / hashview-old

A web front-end for password cracking and analytics
http://www.hashview.io
GNU General Public License v3.0
619 stars 134 forks source link

One Time Passwords - Google Authenticator #350

Closed nicbrink closed 6 years ago

nicbrink commented 6 years ago

Added an option to the accounts section to allow for use of google authenticator app to provide one time passwords. If the MFA option is checked the base32 secret is generated and stored in the users table.
If you go back in to edit the user, a QRcode will be available that can be scanned with the Google Authenticator.

As it is setup now the password for an existing user will still exist, and allow them to authenticate.

It could be possible to make this two factor by leaving the password in place and adding a field for the one time code.

This there is so much sensitive information in the hashview database, and there is no provision to prevent password spraying, this seems like a good security improvement.

Thoughts?

i128 commented 6 years ago

Awesome work! I look forward to checking it out when i have a moment.

i128 commented 6 years ago

@nicbrink After I create an account to use the google authentication, how/when do i specify the code? I see that the value (use_MFA) is being set, along with secret key, etc. But Im not seeing it being checked under login.rb. Am I missing something?

nicbrink commented 6 years ago

I didnt change login.rb at all. The code change is in master.rb because I thought that is where the current password validation is being done.

if user.mfa
  return user.username if pass == ROTP::TOTP.new(user.auth_secret).now.to_s
elsif user
  return user.username if BCrypt::Password.new(user.hashed_password) == pass
end

Im sure there is more that needs to be done to this to make it a bit more robust, Im not sure Im happy with how the QR codes are being generated. It could be better to send them via email or some other way.

I put up a quick item on the wiki on my page. https://github.com/nicbrink/hashview/wiki/One-Time-Password-with-Google-Authenticator I'll update it with how to actually log in.

i128 commented 6 years ago

Okay i think i found why it wasnt working for me. On line 88 under accounts.rb the line should read

if params[:mfa] && user.auth_secret == ''

instead of

if params[:mfa] && user.auth_secret = ''

Without this, anytime the user saves the page, the users auth_secret would be overwritten, invalidating the previous google authentication pairing. I'll merge here and make the fix.