How difficult it is to brute force the token has to do with the underlying entropy. For opaque access tokens the specs recommend 128bits of entropy. How you encode that is not relevant to the security.
> On Apr 7, 2015, at 6:19 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > > Hi John > > Thanks for the comments, what I'm curious about is not how to get a generated > (bearer) access token encoded with the encoded value having a fewer number of > characters but how to better support a security requirement that it should be > difficult for an attacker to reproduce a given access token value... > > So I've been wondering if the fact that Base64(URL) has a richer set of > characters than HEX makes it a better alternative...Not 100% sure how > important it can be... > > Thanks, Sergey > > On 07/04/15 14:09, John Bradley wrote: >> Best would depend on what you are encoding. If the thing you are encoding >> is mostly URL safe then using URL escaping might give you the smallest >> result. >> If it is 8bit data then BASE64URL will give you a smaller result than HEX >> encoding. >> >> JWT use BASE64URL as a datapoint. >> >> John B. >>> On Apr 7, 2015, at 3:58 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: >>> >>> Hi >>> >>> Would it be correct to assume that the best method for encoding the >>> auto-generated bearer tokens is Base64URL ? I've spotted recently some of >>> our code uses the Hex encoding which I believe is inferior compared to >>> Base64URL given that the latter has a richer set of characters. >>> >>> Is it a correct assumption ? >>> >>> Thanks, Sergey >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
