In SN-909, Steve was suggesting that, for an OTP code, 6 digits was sufficient because the code is constantly changing (unless I was misunderstanding).
I'm not really seeing how this is the case unless other security measures are also in place. I've written programs to run simulations myself, and based on the results, it looks like a moving target roughly doubles the difficulty of brute force. Specifically, if I write a program to make 999,999 guesses on a 6 digit number where the target number changes every guess, there will be at least one correct guess roughly 50% of the time (vs 100% of the time on a stationary target).
Based on 1000 guesses per second (which is what Password Haystacks assumes for an online attack scenario), an attacker would have a 50% chance of guessing correctly in 18.52 minutes - not exactly great security.
Now, I do still see one advantage here to the moving target vs a stationary target, and that is that when the attacker guesses correctly, it only gets the attacker one single logon rather than actual knowledge of the password because the next logon, the OTP code will have changed. But if that single logon grants the attacker the keys to the kingdom, it can still be devastating.
Possible mitigations might be rate limiting, account lockout on incorrect guesses, or reauthentication being required after logon, but I don't think we can assume that these mitigations are in place unless they are specifically mentioned.
Am I missing something?
EDIT: Minor grammor and spelling corrections
I'm not really seeing how this is the case unless other security measures are also in place. I've written programs to run simulations myself, and based on the results, it looks like a moving target roughly doubles the difficulty of brute force. Specifically, if I write a program to make 999,999 guesses on a 6 digit number where the target number changes every guess, there will be at least one correct guess roughly 50% of the time (vs 100% of the time on a stationary target).
Based on 1000 guesses per second (which is what Password Haystacks assumes for an online attack scenario), an attacker would have a 50% chance of guessing correctly in 18.52 minutes - not exactly great security.
Now, I do still see one advantage here to the moving target vs a stationary target, and that is that when the attacker guesses correctly, it only gets the attacker one single logon rather than actual knowledge of the password because the next logon, the OTP code will have changed. But if that single logon grants the attacker the keys to the kingdom, it can still be devastating.
Possible mitigations might be rate limiting, account lockout on incorrect guesses, or reauthentication being required after logon, but I don't think we can assume that these mitigations are in place unless they are specifically mentioned.
Am I missing something?
EDIT: Minor grammor and spelling corrections
Last edited: