Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

Posted Apr 15, 2016 6:10 UTC (Fri) by eru (subscriber, #2753)
In reply to: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker) by noahm
Parent article: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

In one sense MS is right: the attack works because the URLs are short, and making short URLs is the whole point of URL shorteners. I suspect you would need something like 20 characters to make brute-forcing infeasible today, and the minimum length would grow over time.

Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

Posted Apr 15, 2016 14:28 UTC (Fri) by khim (subscriber, #9252) [Link]

I don't really see why. Note that we are NOT talking about some arbitrary functions which you could calculate locally. Rather we talk about something you need to ask remote server about!

Which means that if server responds fast enough to make human reader happy but not fast enough to make brute-force attack feasible... then that's it: fast computers and ASICs wouldn't change anything for that equations.