Comments (9)
Initial alphabet is Base32 alphabet, which has some advantages, especially if secret is being used in URL which is a case.
Maybe you can implement an additional method and with some parameter in code random number will be generated by using your implementation.
from gotp.
A secret stuffed into a URL should almost certainly not be in the clear... so I think you mean:
"Please provide a wrapper function to RandomSecret which Base32's (or url-safe-encodes) the resulting secret"
correct?
from gotp.
This is done, btw.
from gotp.
Sorry, could not correctly explain what I mean. IMHO it would be better not changing existing RandomSecret
method but implement a new one, giving it a different name. Since it can be used in other projects and that secret generated by that method is used in ProvisioningUri
(sorry for my mistake, not URL but URI in my initial comment).
from gotp.
It looks like, according to sourcegraph's view:
https://sourcegraph.com/github.com/xlzd/gotp@master/-/blob/utils.go#L79:6&tab=references
the only user of this function is ... this code.
I think it's safe to just make this better. Leaving it as is makes the possible passwds created pretty horrificly bad, so why don't we just make the result better, eh? :)
from gotp.
this usage only includes projects which source is publicly available.
So, actually there is a key specification which says it should be Base32 encoded, to work with Google Authenticator.
I think it is same to generate random byte array and then encode it with Base32 and generate random string of Base32 alphabet.
from gotp.
So, it looks, to me, like the function built:
RandomSecret()
before I looked/changed things makes a passwd with at most 32 possible options per char returned.
That's not really great :(
if you're argument is that:
- existing people may be using this - Great, let's get them some better security.
- the use-cases may be to form into QRCodes/etc so we need base32 - ok, url-escape or just added Base32 should be fine
- I think providing bad passwds as part of infrastructure software is a bad plan, let's make this better.
from gotp.
If we will solve problem with 2. then 1. and 3. are OK.
about 2., in current implementation, since at the end, whatever we do will be random string of alphabet used in base32
, which if decoded back maps to byte array without restrictions (any byte from 0x00 to 0xFF) we have more randomness per character in final string than generating random string of alphabet of 82 chars (10 + 26 + 26 + 20) and then getting base32
encoding of it.
For example, I think it is the same:
- to generate random byte array of length 10 then encode it to
base32
string (will result in length of 16) - generate random string of length of 16 with alphabet of
base32
.
could I explain my point?
from gotp.
Thank you for your interest I am closing this issue Chris (@morrowc ). Please feel free to leave more comments if you have something more.
from gotp.
Related Issues (13)
- panic when getting the key from viper. HOT 1
- use int64 for timestamp HOT 1
- Increase secret size to 32 bytes HOT 4
- refactor BuildUri HOT 1
- Provide a method for checking if secret is valid to avoid panic checking HOT 2
- request help: `NowWithExpiration` changes the `secret` HOT 2
- '@' Symbol HOT 4
- gotp.RandomSecret(16) generates a random secret of lenth of 26 instead of 16
- Insecure Default RandomSecret() Generator HOT 17
- unable to generate OTP with more than 9 digits HOT 3
- totp.go times other than now HOT 4
- How to set step length for TOTP? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gotp.