realashleybailey
commented
10 months ago Brute forcing a field that has 36^6 combinations, thats 2,176,782,336 possibilities, the server would most likely crash before they got the correct possibility, reCAPCHA is a future feature that will be added at some point but this would only be opt in if people choose to go set up a captcha account and fill in the api key, script kiddies aint gonna be brute force it with there little Dell XPS and 50kb internet connection lol. Also if your using the invites in the recommended way where they become stale after a single use then its even less that someones gonna be able to bruteforce it. We like to keep the invite links to a consistent format.
The default 6 characters might not be enough once bots discover a publicly accessible wizzarr instance. Bruteforcing a link like https://wizzarr.somedomain.com/j/UDYQCA is fairly easy for an adversary once the domain is known. Even if the expiration duration is set to a low number.
Could the default number of random characters be prolonged, while still retaining he option to write shorter or personalized invites?