Can anybody recommend a secure password generator available under a Apache or LGPL licence for Java?
I would not worry that much about generating incredible strong one time passwords. Make the password long and it should not be a problem with brute force granted you limit how long the password is valid. If the password is only valid for say 1 hour then it will not be a problem if the password remains unused. And in that time span it is not likely that someone will get to crack it using brute force.
It is also important that you only let the one time password work just one time. This way, if the password is intercepted the user will notice when the one time password has expired and can take appropriate actions.
I'd go for Apache Commons RandomStringUtils and let the password be 10-15 characters of letters and numbers.
...though it always is a question of how paranoid you want to be. This solution would be fine for a regular web application, but not good enough for a bank...