Question: How do you generate password from string param

[yoshi486x]

I needed to generate a TOTP from the given secure secret pyotp@example.comGITHUB. So, I encoded the secure secret by base32 beforehand, and the authentication worked! But I'm not sure if this is the right approach. Could somebody tell me if this is right or not?

secret = b'pyotp@example.comGITHUB'
secret = base64.b32encode(secret)
totp = pyotp.TOTP(secret)
totp.now() # => '199731'

[kislyuk]

That should not be the secret. The secret should be a random string of digits and characters that is shared between the server and the client.

Please read and understand https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm and https://tools.ietf.org/html/rfc6238 before you continue.

[yoshi486x]

Yes, I understand that the secret should be random for a production environment, but this is for a mock project. And in the descriptions you shared, I recognized that the secret could be any arbitrary byte string. So I suppose that my execution process was alright in the algorithm point of view.

Please let me know if I still have any miss understanding.

[kislyuk]

Your approach appears fine otherwise, but you may want to consult the OWASP guides to do a broader review of your application's security.

[yoshi486x]

Alright! Thank you for the comment!

[tilkinsc]

When you generate new OTP secrets, make sure you use a cryptographically secure random.