Skip to content

feat: increase entropy of OTPs generated by code strategy #4241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
aeneasr wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

feat: increase entropy of OTPs generated by code strategy #4241

aeneasr wants to merge 2 commits into from
+530 −160

Conversation

@aeneasr
Copy link
Member

@aeneasr aeneasr commented Dec 10, 2024

Moving forward, OTPs generated by the code strategy will match pattern [0-9a-zA-Z]{8} instead of [0-9]{6}. This increases entropy and makes it easier to defend against reverse brute force attacks.

See https://github.com/ory-corp/cloud/issues/3724

Related issue(s)

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments
@aeneasr
feat: increase entropy of OTPs generated by code strategy
1a6bff3 
Moving forward, OTPs generated by the code strategy will match pattern `[0-9a-zA-Z]{8}` instead of `[0-9]{6}`. This increases entropy and makes it easier to defend against reverse brute force attacks.

See ory-corp/cloud#3724
@aeneasr
Copy link
Member Author

aeneasr commented Dec 10, 2024

A test is needed to ensure the legacy code generation still works.
@aeneasr aeneasr closed this Apr 28, 2025
@aeneasr aeneasr reopened this Apr 28, 2025
@tricky42
Copy link
Contributor

tricky42 commented Sep 29, 2025

Can we follow up on this to close: https://github.com/ory-corp/cloud/issues/3724?
@aeneasr
Copy link
Member Author

aeneasr commented Sep 29, 2025

Yes, just need to figure out how to change it without breaking customers' existing implementations - especially custom UIs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@aeneasr @tricky42