TOTP – Larger Timesteps

I’m in the process of implementing TOTP based on RFC6238.

The RFC’s recommend time step is 30 seconds.

However, for addressing a resynchronization problem that we have,

  1. if I use a larger time step, 15 mins

  2. or if my verifier verify the code in 30 time slots (15 previous, the current and 29 future),

    is there any vulnerability apart from the larger time window for brute-forcing?

The RFC document doesn’t seem to explicitly mention why the 30 sec is their recommendation.

Go to Source
Author: Sency

wfuzz default number of connects in parallel per target?

In Hydra, default number of connects in parallel per target is 16 and it can be changed with -t flag.

E.g. -t 100 for 100 connection in parallel per target.

wolf@linux:~$ hydra -h | grep parallel
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)

What about wfuzz? I did not see this info in it’s help menu. Is it possible to change it’s value?

wolf@linux:~$ wfuzz -h | egrep -i 'thread|parallel'

Go to Source
Author: Wolf