[someexgamedev]

Is this reset mechanism conceptually flawed? Even with one attempt before invalidating the code, you have a 1:999,999 shot of stealing someone's account by lotto. Not bad odds for an automated process.

It's like every account on Instagram has an alternative six digit password.

[mkagenius]

You are right. Betting everything on a 6 digit code surely is a mistake. For example, try same code on a million different account, and you definitely get access to atleast 1 of them. (Considering they are using a good random generator)

[SifJar]

You probably get access to at least one of them, not definitely

[wz1000]

There is a 36.7%(or ~1/e) chance that you don't get any of them.

[mkagenius]

In case anyone is wondering that can also be derived like in the birthday problem - (999999/1e6)^1e6 .. which is not 0 but 0.36787

[floatingatoll]

Sony was using 8 characters of alphanumeric at one point. They reduced it to 6 digits. It turns out that the chance of guessing six digits successfully given one or two tries only is low enough to satisfy human beings when it comes to “annoyance versus protection”, especially when codes expire after a couple attempts.

[raws]

Yeah that is if they limit attempts and put code expiry in place which instagram did not have and as well it's missing warning systems for users as well as a temporary locking mechanism for such a feature if fraud is detected by the user. Those limits are more important to personalities than a lambda user.

[throwaway66666]

Problem with alphanumeric, is you have people from foreign countries who do not even have an english keyboard installed on their phone. Default is probably their native language and they do not care to add a secondary or switch.

Numeric values solve that problem.

edit: drunk typing

[kalleboo]

Is that a thing? Domain names, email addresses, passwords all tend to require the latin character set. Here in Japan I can't remember seeing a single site that uses kanji passwords.

[thefreeman]

a 6 digit password that is only valid for 10 minutes