Google Authenticator Soft Token Generator
Published Mar 17, 2015
Version 1.0Was this article helpful?
We were reviewing the code for this as we think:
set secret [b64encode [md5 [expr rand()]]] set secret [string range $secret 0 9]
Is suspect, as base 64 is 6 bits a character, and 10 lots of 6 bits is 60bits, when Google Authenticator uses 80 bits of entropy (16 x base 32 = 80 bits), and the RFC recommends 160 bits as minimum.
Not sure this undermines Google Authenticator quite, but it must make brute force and similar attacks at least a million times more feasible.