Geek Answers Handbook

One-time password security risk

We are developing a web application in which the user must enter a one-time password (which we send via e-mail to users) to complete the operation. However, if a malicious user develops a bot and guesses a pattern in which we generate a one-time password, he can enter some random email identifier without even looking at the email, which he can confirm with a transaction. Thus, he can attack the system with false confirmations. Can someone please tell us how people handle this?

thanks

+4
source share
8 answers

If your random one-time passwords have the same entropy as regular passwords, this should be as good as any other password solution.

Here is an example of a password generation snippet that should be pretty unpredictable:

import java.security.SecureRandom; import java.util.Random; class Test { public static String generatePassword() { String chars = "abcdefghijklmnopqrstuvwxyz" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + " 0123456789!@ %$%&^?|~'\"#+=" + "\\*/.,:;[]()-_<>"; final int PW_LENGTH = 20; Random rnd = new SecureRandom(); StringBuilder pass = new StringBuilder(); for (int i = 0; i < PW_LENGTH; i++) pass.append(chars.charAt(rnd.nextInt(chars.length()))); return pass.toString(); } public static void main(String[] args) { System.out.println(generatePassword()); System.out.println(generatePassword()); System.out.println(generatePassword()); } }

Output:

Qp';Md#93Dxh\0|%%Ny7
oqvntn2) .~W@ %P'EM*AS
WEo2sz2Sm~a'm=Ss&Lu[

+3
source

Just use a random password without patterns. The advantage is that you can make the password longer if it can be clicked by mail, because the user does not need to enter it.

+4
source

I assume from your description of the question that the one-time password you generate is actually some form of strong encryption in which you change the process to find out which account they refer to.

This is the wrong approach, the one-time password should be random, so there is no way to calculate the password based on the email address. You need to save a one-time password (preferably hashed) with account information in the database and use it to search.

+3
source

Create your passwords using a high entropy source - in unix try / dev / urandom - which will give you one-time passwords.

+2
source

Do not do this. Send them a URL link with a huge password (security ticket) in it as an argument to the URL and organize your end so that if this argument is present and correctly (i) they are logged in, and (ii) the UUID expires, or immediately, or within a day or two from sending it. It may work a little depending on your container, but it is much safer. I use java.util.UUID for this, nice and long lasting.

+2
source

You are right, you have a large safety hole in the circuit, but you have discovered the wrong hole!

Your problem is that you send it by email - the email is not secure.

How to guess a problem that should be statistically impossible if you use a password that is long enough. You might want to block people after they make mistakes 100 times.

One trick I've seen is asking the user for a Paypal or bank account number. Then you make several deposits for random amounts. Thus, they see deposits of, say, 34, 91 and 82 cents. Then they use these numbers as a password! Pretty smart huh?

+1
source

Introduce a one-time password that cannot be calculated to guess.

For example, use a random string generator to generate a 15-character string using a pool of capital letters, lowercase letters and numbers.

The result is 62 ^ 15 possible combinations, which would be extremely difficult to crack the brute force program.

0
source

Having a six-digit random number as OTP is not a security risk, provided that you disable OTP after the first use. Guessing that a 6-digit number in one attempt is rap on the impossible. And since you get only one try, brute force also has nothing to worry about. Just make sure you generate a really random number, for example. using SecureRandom.

So, the steps to be taken:

  • List item
  • Create a 6 digit OTP random number
  • Match this with your account (e.g. user enters email and OTP)
  • With each attempt to authenticate this user, the OTP is invalid, whether the login was successful or not.

Using Java, you can use the following method to create OTP:

 public static final String getOTP(int length) { Random r = new SecureRandom(); return String.valueOf(r.nextInt((int)Math.pow(10, length))); }

Hope this makes sense.

0
source

More articles:


All Articles