Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.
Spring Security OTP Plugin for Grails
Rafael Luqueon 20 November 2014
Transcript of Spring Security OTP Plugin for Grails
Implements Oath Time-based OTP (RFC 6238). Spring Security OTP Plugin Rafael Luque On Strengthening Authentication for Grails Applications Passwords are easier
to crack than ever Secure Access
to Backends A single factor is easy to
Let's use 2 factors ! In complex webapps we usually provide web-based tools for administrators Clients not always are security-conscious Very powerful tools: Weak passwords
Access from shared computers
Access from non-secure environments How secure is your password? Modern Hardware (GPUs) Growing list of leaked passwords allows programmers to write rules to make cracking algorithms faster "The average web user maintains 25 separate accounts but uses just 6.5 passwords." Landmark Study (2007)
https://research.microsoft.com/pubs/74164/www2007.pdf AMD Radeon HD7970 GPU can try on average 8.2 billion of passwords each second. Project Erebus 8 GPUs: 12 hours to brute force all keyspace for any 8-char password. Brute Force Applying rules learnt by leaked passwords E.g. Jesus1975 62^9 passwords to try.
19 days in AMD Radeon HD7970. Only 90 seconds running ocl-hashcat
http://hashcat.net/oclhashcat-plus/ http://ob-security.info/?p=546 "Crack Me If You Can" contest at DEFCON 2011 winners cracked 88,546 passwords in 48 hours. http://contest-2011.korelogic.com/stats_CCDE2FAB9599C0A6.html Just six days after the leak of 6,5 million LinkedIn password hashes more than 90% of them were cracked. http://arstechnica.com/security/2012/08/passwords-under-assault/ --- Wikipedia Posession Factor Inherent Factor Knowledge Factor "Something the user knows" "Something the user has" "Something the user is" password
retina vessels 2FA 2FA 2FA 3FA --- Wikipedia OTP Pros/Cons Avoid classic attacks Cons Keyloggers
MITB & MITM (only out-of-band channel). Difficult to memorize.
You need a paper list or an electronic generator.
Easyly lost. Where Can You Use OTP Today? Google/Gmail
...and in your Grails apps Installation Configuration Sample App Using install-plugin command or adding the following to BuildConfig.groovy: Available at OSOCO's GitHub:
https://github.com/osoco/grails-spring-security-otp Planning to publish in Grails central repo in the following days. Sample application spring-security-otp-sample:
Deployed on CloudFoundry:
http://spring-security-otp-sample.cloudfoundry.com Check your passwords now at: http://howsecureismypassword.net/ @rafael_luque CMS
etc. Built during OSOCO Hacker Fridays.