Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Length of a security token

I'm using security tokens to create not guessable URLs like this (16 bytes, hex)

http://example.com/something/private/b5f8c21a628e12b39786fb8ef9561d31

The token is something like a shared passwords: Who knows the URL is allowed to access the resource.

How many bytes should a secure random value have to be appropriate for secure URLs?

like image 875
deamon Avatar asked Sep 04 '11 13:09

deamon


People also ask

What is a security token example?

Car remotes are examples of security tokens people use regularly. Security tokens are used to authenticate users, and they can be used either to substitute passwords or other authentication methods or used as additional authentication in multi-factor authentication (MFA) flow.

What is a valid security token?

A security token is a physical or digital device that provides two-factor authentication (2FA) for a user to prove their identity in a login process. It is typically used as a form of identification for physical access or as a method of computer system access.

What is access token length?

Token size Tokens can vary in size, up to the following limits: Authorization codes: 256 bytes. Access tokens: 2048 bytes. Refresh tokens: 512 bytes.

How long is a secure token?

Work with a strong source of pseudorandomness, ensuring an even and unpredictable spread of tokens across the range of possible values. Make the tokens long enough (at least 16 bytes).


1 Answers

I've ended up with a 64 Bit random value which is encoded as url-safe Base64. The possibility to guess the correct token is 1 / 2^64 what is equal to 1 / 18446744073709551616. This is a pretty impressive number and it would be nearly impossible for an attacker to find the correct token with http requests.

URLs look like this now: http://example.com/private/1oWYPiqO81k/

like image 51
deamon Avatar answered Oct 15 '22 04:10

deamon