I'm pretty sure that the 2FA codes generated by my bank's TOTP app have a bias towards the number 8 - because eight is an auspicious number. But is that just my stupid meaty brain noticing patterns where none exist? The TOTP algorithm uses HMAC, which in turn uses SHA-1. My aforementioned brain is not […]
Pretty cool to show that sample size matters a lot during testing…
Sample size = 10: “There’s 20% 8! WTF, should be 10%”
Sample size = 10k+: “Oh wait nevermind”