Length of a security token

deamon picture deamon · Sep 4, 2011 · Viewed 9.3k times · Source

I'm using security tokens to create not guessable URLs like this (16 bytes, hex)

http://example.com/something/private/b5f8c21a628e12b39786fb8ef9561d31

The token is something like a shared passwords: Who knows the URL is allowed to access the resource.

How many bytes should a secure random value have to be appropriate for secure URLs?

Answer

deamon picture deamon · Sep 18, 2011

I've ended up with a 64 Bit random value which is encoded as url-safe Base64. The possibility to guess the correct token is 1 / 2^64 what is equal to 1 / 18446744073709551616. This is a pretty impressive number and it would be nearly impossible for an attacker to find the correct token with http requests.

URLs look like this now: http://example.com/private/1oWYPiqO81k/