Home/ Questions/Q 6665671
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T02:44:52+00:00

We are developing a web application where user has to input a One Time

  • 0

We are developing a web application where user has to input a One Time Password (which we email to the users) to complete an operation. However, if a malicious user develops a bot and guesses the pattern in which we generate the One Time Password, he can input some random email id and by not even looking at the email he can confirm the transaction. That way he can attack the system with false confirmations. Can someone please let us know how people deal with this?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If your random one-time passwords have the same entropy as regular passwords, this should be just as fine as any other password solution.

    Here’s an example password generation snippet which should be fairly unpredictable:

    import java.security.SecureRandom;
import java.util.Random;

class Test {

    public static String generatePassword() {
        String chars = "abcdefghijklmnopqrstuvwxyz"
                     + "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
                     + "0123456789!@%$%&^?|~'\"#+="
                     + "\\*/.,:;[]()-_<>";

        final int PW_LENGTH = 20;
        Random rnd = new SecureRandom();
        StringBuilder pass = new StringBuilder();
        for (int i = 0; i < PW_LENGTH; i++)
            pass.append(chars.charAt(rnd.nextInt(chars.length())));
        return pass.toString();
    }

    public static void main(String[] args) {
        System.out.println(generatePassword());
        System.out.println(generatePassword());
        System.out.println(generatePassword());
    }
}

    Output:

    Qp';Md#93Dxh\0|%%Ny7
    oqvntn2).~W@%P'EM*AS
    WEo2sz2Sm~a'm=Ss&Lu[

    • 0