I'm trying to add "remember me" functionality to a website using a cookie with the user's username and a token, which is also stored encrypted in a database. My question is how long should this token be? One website I read said 128bit, which in my thinking is 16 characters. I'm not too worried about duplicates as even 16 characters from a character set of 256 characters provides a huge number of possibilites and the chance of duplicates at the same time is slim.
How long should the token be? (I'm not wondering about how to generate the value or how unique.)
Just use a GUID. Many databases support them as a native type; they're easy to manipulate in most popular languages/frameworks; translate perfectly from one platform to another; and every one is unique.
I think it depends more on how the value is randomised than how long it is. A 256 bit hash is not secure at all if it's just a hash of something that can easily be guessed or narrowed down such as a unique ID based on the time.
However, as you've said, you are not specifically asking about how to make it random enough.
An estimated 2^80 (or more) required operations in order to break something is usually a good measure. This would imply an 80 bit hash is secure. (If you were vulnerable to birthday attacks, you'd need double that ie 160 bits, but I don't think this situations applies).
Personally, for this purpose I use 256 bit hashes. When base64 encoded, they compress down to only 43 characters in length, all printable characters. I figure that even though it's way more than what I need, it's not a big hassle having them that long.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With