[dx034]

My employer uses alphanumeric 2 factor codes and I'm so certain that they have a bias towards some letters (mostly y and z). I know I'm probably wrong and it's probably because they appear so rarely in real words, but I can't shake the feeling they aren't random.

Only problem is that I don't have the algorithm. I started writing down all codes I got but since I only get 5 a week, it's a long process. I'll probably switch jobs before I have valid results.

Not that it would change anything, but I'd be really curious how biases in those codes could appear.

[usr1106]

Is there a standardized, public, and widely examined algorithm that produces letters or did they run "their own crypto"?

[chowells]

Custom logic to serialize a number as a set of symbols hardly comes near the threshold of "rolling your own crypto". So long as they follow a standard to generate the number, the serialization is basically irrelevant as long as it's reversible.

[usr1106]

Right, as long as...

However, it would not be the first time that those being "creative" in their visible parts were also "creative" in the less visible details.

So my confidence in those just following the RFC would generally be higher.

[motohagiography]

aside, the adage "don't roll your own crypto," has this funny side effect of homogenization where a weakness empowers an attacker against the maximum number of targets and makes mass interception more cost effective.

I've found that interoperability across diverse implementations is ironically the best protection against schemes that weaken rngs and key entropy to facilitate mass interception. independent implementations become a proof of a protocol or algorithm implementation. if there is only one functional implementation of something, it's where I would look first.

[jopsen]

Could be fun to map TOPT to syllables, I you'd need 100 syllables give or take, then the code is 3 syllables.