

Ask HN: Are OTPs never prime? - shreshthmohan

Indian banks use one-time password for two-factor authentication. Prashant (https:&#x2F;&#x2F;twitter.com&#x2F;pacificleo&#x2F;status&#x2F;600132236730441728) is saying that he has never seen an OTP that is prime. Which makes him ask if this is intentional.<p>- Is this true? If yes, why?<p>PS: this is my first submission to HN.
Thanks.
======
shreshthmohan
I think that this is just probability in play. OTPs are usually 4 or 6 digits.
Probability of seeing a prime number is little because of prime number
theorem. I might be wrong though.

~~~
kylc
Some digging reveals that a common method for generating OTPs is through
repeated hash function applications. A good hash function should produce
uniformly distributed outputs.

There are 78,498 primes less than 10^6 (so, primes less than 6 digits),
meaning that there is about a 7.9% chance of independently seeing a prime OTP
if the OTPs are uniformly distributed. That seems pretty high. The expected
value for seeing a prime OTP after multiple trials is just 15.

So I wonder if your friend is just unlucky or if his OTP provider is using
another method for OTP generation.

