tags:

views:

171

answers:

2
+2  Q: 

How long should a "remember me" token be?

I'm trying to add "remember me" functionality to a website using a cookie with the user's username and a token, which is also stored encrypted in a database. My question is how long should this token be? One website I read said 128bit, which in my thinking is 16 characters. I'm not too worried about duplicates as even 16 characters from a character set of 256 characters provides a huge number of possibilites and the chance of duplicates at the same time is slim.

How long should the token be? (I'm not wondering about how to generate the value or how unique.)

+6  A: 

Just use a GUID. Many databases support them as a native type; they're easy to manipulate in most popular languages/frameworks; translate perfectly from one platform to another; and every one is unique.

Rex M  2009-03-12 03:38:29
Sorry, I guess it wasn't clear. I'm wondering about the length.
Darryl Hein  2009-03-12 03:44:42
A GUID implies a length -- the 128 bits / 16 characters that you mention in your question.
chaos  2009-03-12 03:54:49
I am looking for what length it should be. Is 16 the correct length?
Darryl Hein  2009-03-12 04:11:58
@Darryl for transmission and plain-text storage (like cookies), a GUID is usually encoded to HEX, which is 32 characters.
Rex M  2009-03-12 13:22:28
+1  A: 

I think it depends more on how the value is randomised than how long it is. A 256 bit hash is not secure at all if it's just a hash of something that can easily be guessed or narrowed down such as a unique ID based on the time.

However, as you've said, you are not specifically asking about how to make it random enough.

An estimated 2^80 (or more) required operations in order to break something is usually a good measure. This would imply an 80 bit hash is secure. (If you were vulnerable to birthday attacks, you'd need double that ie 160 bits, but I don't think this situations applies).

Personally, for this purpose I use 256 bit hashes. When base64 encoded, they compress down to only 43 characters in length, all printable characters. I figure that even though it's way more than what I need, it's not a big hassle having them that long.

thomasrutter  2009-03-12 05:36:20
Umm, a GUID can't be easily guessed or narrowed down in most situations.
Rex M  2009-03-13 01:41:09
Ok cool, I'll edit the answer.
thomasrutter  2009-03-13 03:12:41

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication