Entropy is a logarithmic measure of information or uncertainty inherent in the possible token combinations. We of course can’t forget about token entropy. We then encode the result with a Base62 implementation, using leading zeros for padding as needed.
We start the implementation with a CRC32 algorithm, a standard checksum algorithm. We can check the token input matches the checksum and eliminate fake tokens without having to hit our database.Ī 32 bit checksum in the last 6 digits of each token strikes the optimal balance between keeping the random token portion at a consistent entropy and enough confidence in the checksum. A checksum virtually eliminates false positives for secret scanning offline. Identifiable prefixes are great, but let’s go one step further. With this prefix alone, we anticipate the false positive rate for secret scanning will be down to 0.5%.⚡ Checksum Try out double clicking this-random-text versus this_random_text!
Other characters we considered are sometimes included in application word separators and thus will stop highlighting at that character. One other neat thing about _ is it will reliably select the whole token when you double click on it. An underscore is not a Base64 character which helps ensure that our tokens cannot be accidentally duplicated by randomly generated strings like SHAs. The results are:Īdditionally, we want to make these prefixes clearly distinguishable within the token to improve readability. We are including specific 3 letter prefixes to represent each token, starting with a company signifier, gh, and the first letter of the token type. Identifiable prefixesĪs we see across the industry from companies like Slack and Stripe, token prefixes are a clear way to make tokens identifiable. Without further ado, here are the design decisions behind our new authentication token formats that let us meet both goals. How could we make our tokens easier to identify and more secure? We continually strive for security excellence, so we knew that token detection was something we wanted to improve. These have several limitations, such as inefficient or even inaccurate detection of compromised tokens for our secret scanning feature. Many of our old authentication token formats are hex-encoded 40 character strings that are indistinguishable from other encoded data like SHA hashes. As we continue to focus on the security of our platform and services across the web, this update shows how big an impact simple changes can have. We’re excited to share a deep dive into how our new authentication token formats are built and how these improvements are keeping your tokens more secure.
0 kommentar(er)
