
Designing a service for password-less temporary access to resources - ostastny
https://medium.com/@mail_50938/designing-a-service-for-password-less-temporary-access-to-resources-e0bbb5b7a22b
======
rafd
6 characters is pretty trivial to brute force. Someone could set up a script
to continuously try all combinations and get access to whatever happens to hit
a match.

You could block an IP after a certain number of failures, but that doesn't
protect against a network of various IPs attacking (which attackers often have
access to). Adding an artificial delay also wouldn't protect against parallel
attacks.

A simpler/better solution would be to add a few more characters to the
shortcode so it's infeasible to force within your timeframe (and the number of
requests your servers can handle in that timeframe).

~~~
NicoJuicy
Why an IP block instead of a username block

~~~
rovr138
Different attacks.

If you have a network, 1 IP could then try 1 time a user + password. Then
switch to another device with a different IP for another one.

The first IP could then try a different user.

You need a combination, not one or the other.

And then, you have to deal with a university or other big institution and
users forgetting their passwords after the holidays. That would potentially
trigger a ban of everyone.

------
asjfkdlf
I have implemented something similar, but used 12 characters. 6 is way too few
for a secure URL

------
sroussey
Two day, 6 char, session id.

------
gumby
These days few, if any, such URLs will in practice be typed in much less
spoken aloud; they will overwhelmingly be clicked or at copy/pasted. So
shortness is probably not a problem. In addition, suppressing obvious typos
(lowercase L/digit 1) doesn’t really matter either.

------
warmfusion
I've wanted to build a similar system for supporting preview of articles on a
CMS. Problem is, users may share multiple URLs with a user so a single JWT
token in a cookie doesn't suit that flow very well. Each new link followed
needs to extend an existing value with additional proofs (and remove old
ones?)

------
thunderrabbit
> ValidUntil configures how long the access will last.

My understanding of your use case is stopping indefinite "exponential"
forwarding.

I wonder if the ValidUntil timer could start when the shortlink is first
accessed.

That way you can shorten the time it lasts in the wild _and_ let it be
indefinitely available for the first intended recipient.

------
sneak
This seems like overkill for what amounts to a signed URL for accessing static
content.

------
reaperducer
_Each shortcode is 6 characters and is case insensitive. That gives us roughly
1.8 billion (1838265625) combinations._

That's only 1.8 billion combinations if you only have computers talking
privately to other computers. But in the scenario outlined in the article,
people will see the URL, so you must filter millions of those combinations.

For example, if I come across a recipe for shoo-fly pie, I don't want to
forward my grandmother a shortened url like example.com/FuckUG. More
importantly, you don't want someone posting a screenshot of your expletive
shortcode on social media, or worse.

When wetware is involved, even in just one step, things get messy.

~~~
kordlessagain
26^6=308,915,776

36^6=2,176,782,336

Approximate number of words in English: 171,476

~~~
reaperducer
Are you under the impression that English is the only language with offensive
words?

~~~
013a
Are you under the impression that there aren't many, many services which only
serve english-speaking populaces, by design, or that even including the
offensive words in every language would come close to significantly impacting
the entropy involved here?

