I need to use current time because later on, another program will need to know when I generated the pin and whats the username and password.
Summary:
Username + password +开发者_如何学Python current time = pin [6 digits]
Reverse, generated pin, I need to know which particular, and check if its already pass 1 minute.
I am not asking for direct code, but I need to know the best, not say best, good way/algorithm for it. Thanks (btw, I am cpp beginner)
EDIT:
I am sorry for not making things clear. Actually, I dun need the OTP, after generated the pin, the other program will need to run like this: validate {username} {password} {pin}
999999 minutes, gives ~694 days, ~1.9 years. So if you used all the entropy available just for recording the current time, you'd cycle the value in less than 2 years.
And things will be much worse if you want to include the username and password, and avoid easy guessing.
With 6 decimal digits, you can store about 19 bits of data. So you'll have to make sure that you have strong anti-brute-force protection on your server end, otherwise it'll be trivial to try all possible combinations.
One-time passwords do not have internal decode-able structure, they are typically used in addition to a normal password to act as a second factor in authentication. Then can be based on the time as you are suggesting, but are not reversible - the other end also has the secret key, and can generate the possible list itself.
So, for example, as well as entering a username and (normal) password, the user enters the value from a token, which is generated as AES(secretkey, currentminute), and the server computes AES(secretkey, currentminute) and AES(secretkey, currentminute-1) etc, to compare the value against. It might also record which token matches, so that it records an estimate of the token's clock accuracy, which allows some drift of the token's clock, as long as it's used frequently enough. To work out how to best use the 19 bits you have in a 6-digit pin, you'll need someone who is a real cryptographer - as I would guess that taking a simple truncation might be in-secure.
Promoted my earlier comment to an answer, as an afterthought:
I'm pretty sure it is deceiving to call this 'otp'. OTP is purely random and secret.
What you describe is a simple hash.
You could
MD5(username+password_hash+(seconds_past_1970%60))
I'm sure besides using public key encryption instead of the password, this is more or less how RSA keys do it.
Edit Oh yes: it will be pretty trivial to generate 6 digits from the resulting hash :)
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论