Tokenauth is not exactly the most secure model of content access control. There are cases where the security depends on an over-the-shoulder user not being able to spot memorize the token. I think 10 is short enough that it can be retained, what would be a reasonable balance of annoyingly long URLs with better security?

I'm thinking 20.

CommentFileSizeAuthor
#2 tokenauth.1199692-2_increase_token_length.patch1.35 KBGrayside

Comments

geerlingguy’s picture

geerlingguy commented

I use a default of 18 for tokens I build manually (typically, that's long enough that even someone with pretty good concentration couldn't memorize). Since it's a variable, and changeable in the interface, I don't think it would be a bad idea to go up to 20; people can always shorten it if they have trouble (cutting off in email, etc.).

Grayside’s picture

Grayside commented
Status: Active » Patch (to be ported)
StatusFileSize
new tokenauth.1199692-2_increase_token_length.patch1.35 KB

Raised to 20 in 7.x branch. Attached patch is the diff to facilitate reroll for D6.

http://drupalcode.org/project/tokenauth.git/commit/243c1a1

Grayside’s picture

Grayside commented
Status: Patch (to be ported) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.