You are not logged in. Your edit will be placed in a queue until it is peer reviewed.
We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.
Required fields*
- 9You want a potential attacker to have up to a 1% chance of guessing a token? Hmmm, methinks an couple orders of magnitude need to be added to your numbers for most of us to be comfortable. I haven't done the math yet but that's not a base number I would use.Caleb– Caleb2014-06-03 07:07:02 +00:00Commented Jun 3, 2014 at 7:07
- 5sorry, but your math and assumptions don't seem to make sense. For example, why do you assume an attacker can send only what Facebook receives? Why are you counting tokens for active users, and why 5 minutes? The 1% also seems a bit weird, as @Caleb mentioned. While it really is super important to look at the math of these things (more developers should do that!), I think you're going about it the wrong way.AviD– AviD ♦2014-06-03 07:43:27 +00:00Commented Jun 3, 2014 at 7:43
- At this point your question is a bit of a moving target. Please don't use questions as an ongoing discussion as your understanding of an issue progresses. I answered the original question, now you've changed it to the point were it would require an entirely different answer. It would be more helpful for everybody if you would focus the question on one issue, then if you have more questions after that in answered, ask a focused question on the new issue.Caleb– Caleb2014-06-03 07:47:31 +00:00Commented Jun 3, 2014 at 7:47
- 3@AviD: actually I think using Facebook's traffic is fairly ingenious. Most websites can't process anything like as many requests as Facebook does, so for most websites that rate of attempts would naturally cross the line from a brute-force attack on the token into a DoS ;-) That's not to say I like the rest of the analysis, though. In particular if there really were a 1% chance of an attack succeeding in 5 minutes then you'd have to expect that form of attack to succeed in about 500 minutes unless otherwise stopped.Steve Jessop– Steve Jessop2014-06-03 09:26:34 +00:00Commented Jun 3, 2014 at 9:26
- The cost of using 130 bit tokens is relatively small. Why not crush that 1% chance into oblivion? What if increases in network and computing power make much larger attacks possible in the future?Russell Borogove– Russell Borogove2014-06-03 17:45:30 +00:00Commented Jun 3, 2014 at 17:45
| Show 2 more comments
How to Edit
- Correct minor typos or mistakes
- Clarify meaning without changing it
- Add related resources or links
- Always respect the author’s intent
- Don’t use edits to reply to the author
How to Format
- create code fences with backticks ` or tildes ~ ```
like so
``` - add language identifier to highlight code ```python
def function(foo):
print(foo)
``` - put returns between paragraphs
- for linebreak add 2 spaces at end
- _italic_ or **bold**
- quote by placing > at start of line
- to make links (use https whenever possible) <https://example.com>[example](https://example.com)<a href="https://example.com">example</a>
How to Tag
A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.
- complete the sentence: my question is about...
- use tags that describe things or concepts that are essential, not incidental to your question
- favor using existing popular tags
- read the descriptions that appear below the tag
If your question is primarily about a topic for which you can't find a tag:
- combine multiple words into single-words with hyphens (e.g. web-application), up to a maximum of 35 characters
- creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you