Hacker News new | past | comments | ask | show | jobs | submit login

Yes! Just using longer URL's is just security though obscurity. Which just gives a "false sense" of security.



That's not what security through obscurity means. It's very possible for "unique urls as a password" to obey Kerckhoffs' second principle.

Craigslist does this and it's a great system for a Craigslist post. You can sign up for an account if you want but you can also post without an account and you get a unique url as a password to edit or delete your post. Craigslist posts are only good for 30 days and someone deleting your Craigslist post isn't the end of the world.

It's very possible to use urls as a password securely, password reset emails do it all the time.


Password reset tokens through email has always troubled me. Unless the email content is encrypted (and almost never is) then that token is exposed (imagine a compromised email server that harvests these tokens). Usually these things are time limited and you can know if another entity reset your password but it may be too late at that point.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: