Closed XStylus closed 2 days ago
stonith404
commented
2 months ago Brute force isn't really a risk as it is only possible to send 100 requests per minute to Pingvin Share. It would take 6 million years to brute force all share IDs at this rate:
62 characters = 26 lowercase + 26 uppercase + 10 digits 3'521'614'606'208 combinations = 62^7 35'216'146'062 minutes = 3'521'614'606'208 / 100 6'695'731 years = 35'216'146'062 minutes
maos1337
commented
1 month ago That's the answer from chatgpt for your calculation:
"The number of unique links is calculated as number of possible characters ^ length of the link. For example, if the link uses alphanumeric characters (62 possible characters) and is 7 characters long, the number of possible combinations is:
62^7 ≈ 3.52 trillion combinations
While this sounds like a large number, it might not be large enough for very high-security needs. If someone tries a brute-force attack (trying every possible combination), this number can be cracked depending on the attacker's resources.
Shorter links are more susceptible to brute-force attacks. With modern computing power, a well-resourced attacker could attempt to guess millions or even billions of link combinations quickly. If the service doesn't rate-limit attempts or doesn't add extra security layers (e.g., CAPTCHAs, IP rate limiting), this can be a vulnerability."
I think it would be more secure to make the generated links larger.
romainricard
commented
6 days ago As I discovered this issue after creating a PR, my two cents:
stonith404
commented
6 days ago @romainricard Thanks for your PR, I'll look into it ASAP.
The only way to speed up brute-forcing is by using multiple proxies (with different IPs) since Pingvin Share limits each IP to 100 requests per minute. This makes brute-forcing practically impossible. Even with 10,000 proxies, it would still take 600 years to succeed.
However, your second point is valid, users might not know about this rate limit and could see a short ID as a security risk.
🔖 Feature description
In the "Create Share" menu when creating a share, pingvin randomly generates a link ID (e.g. www.example.site/[LINK-ID]).
The default length of that randomly generated ID is seven characters. From a security perspective, that is quite short. Simple brute-force methods would be able to expose that link in a very short time.
I would like to request that the default length be 11 characters or longer.
As a bonus, it would be helpful if there could be a way for an admin to specify the default length.
🎤 Pitch
I have several users who use pingvin that are not tech savvy or security savvy. Although a user can manually specify a custom link ID, most users in my use-case will simply go with whatever is presented. I would therefore like to make the default options presented to my users be as secure as possible.
Though a link ID isn't a proper substitute for a password-protected share link, making the link IDs less brute-forceable couldn't hurt. According to https://www.security.org/how-secure-is-my-password/, a seven character ID could be brute-forced in roughly a minute.