Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

One time password security risk

Tags:

java

security

web

We are developing a web application where user has to input a One Time Password (which we email to the users) to complete an operation. However, if a malicious user develops a bot and guesses the pattern in which we generate the One Time Password, he can input some random email id and by not even looking at the email he can confirm the transaction. That way he can attack the system with false confirmations. Can someone please let us know how people deal with this?

Thanks

like image 841
Gopal Avatar asked Oct 10 '11 19:10

Gopal


1 Answers

Just use random password without patterns. The advantage is you can make the password longer if it is clickable in the mail because the user doesn't have to type it.

like image 149
MasterCassim Avatar answered Oct 04 '22 21:10

MasterCassim