PIN and OTP Generator: Secure Codes
Generate cryptographically secure PINs and one-time passwords — for testing, prototyping, and demos.
Published:
Tags: PIN OTP generator, one time password generator, secure PIN generator
PIN and OTP Generator: Secure Codes Part of our complete guide to this topic — see the full series. PINs and OTPs protect systems through a different mechanism than passwords: they are short-lived, rate-limited, or tied to physical possession. A 6-digit PIN is computationally trivial to guess — it derives its security entirely from the controls around it. Understanding this distinction is essential for both building and testing authentication systems. --- What about PIN Security: It's All About Rate Limiting? A 6-digit numeric PIN has exactly 1,000,000 possible values. With no rate limiting: This is why ATMs lock after 3 wrong attempts. The PIN's security comes from: Attempt limits — 3–5 wrong guesses triggers a lockout Physical possession — the card must be present Time windows — OTPs…
Frequently Asked Questions
How do I generate a random PIN?
Use crypto.getRandomValues(new Uint32Array(1)) and take modulo 10^N for an N-digit PIN. For a 6-digit PIN: (crypto.getRandomValues(new Uint32Array(1))[0] % 1000000).toString().padStart(6, '0'). Use rejection sampling to avoid modulo bias if the PIN will be used as a security credential.
What is a TOTP (time-based OTP)?
TOTP (Time-based One-Time Password) is defined in RFC 6238. It generates a 6-digit code by computing HMAC-SHA1 of the current Unix time (floored to 30-second windows) using a shared secret key. The code changes every 30 seconds and is valid for a brief window (typically 1–2 steps) to account for clock skew.
How do I generate a 6-digit OTP?
For testing purposes: Math.floor(crypto.getRandomValues(new Uint32Array(1))[0] / 4294967296 * 1000000).toString().padStart(6, '0'). For a real TOTP implementation, use the RFC 6238 algorithm with HMAC-SHA1 and a 30-second time step — never generate production OTPs as simple random numbers.
What is HOTP vs TOTP?
HOTP (RFC 4226) generates OTPs based on a counter that increments with each use. TOTP (RFC 6238) extends HOTP by using the current time divided into 30-second windows as the counter, so codes change automatically without requiring synchronization of a counter between client and server. TOTP is far more common in 2FA apps.
How secure is a 6-digit PIN?
A 6-digit PIN has 1,000,000 possible values (log₂(10^6) ≈ 19.9 bits of entropy). On its own, this is cryptographically weak — exhaustible in under a second with no throttling. PINs derive their security entirely from rate limiting, lockouts after failed attempts, and physical possession requirements. Never use a PIN alone for sensitive authentication.
All articles · theproductguy.in