# Tutorial :How long should a â€œremember meâ€ token be?

### Question:

I'm trying to add "remember me" functionality to a website using a cookie with the user's username and a token, which is also stored encrypted in a database. My question is how long should this token be? One website I read said 128bit, which in my thinking is 16 characters. I'm not too worried about duplicates as even 16 characters from a character set of 256 characters provides a huge number of possibilites and the chance of duplicates at the same time is slim.

How long should the token be? (I'm not wondering about how to generate the value or how unique.)

### Solution:1

I think it depends more on how the value is randomised than how long it is. A 256 bit hash is not secure at all if it's just a hash of something that can easily be guessed or narrowed down such as a unique ID based on the time.

However, as you've said, you are not specifically asking about how to make it random enough.

An estimated 2^80 (or more) required operations in order to break something is usually a good measure. This would imply an 80 bit hash is secure. (If you were vulnerable to birthday attacks, you'd need double that ie 160 bits, but I don't think this situations applies).

Personally, for this purpose I use 256 bit hashes. When base64 encoded, they compress down to only 43 characters in length, all printable characters. I figure that even though it's way more than what I need, it's not a big hassle having them that long.

### Solution:2

Just use a GUID. Many databases support them as a native type; they're easy to manipulate in most popular languages/frameworks; translate perfectly from one platform to another; and every one is unique.

### Solution:3

You can always just look at what others have done, like Oauth2 which suggests the token be between 128 and 160 bits, and do the same. I like this post, which says 122 bits should be adequate "for most purposes, including launch codes for nuclear missiles." Which is funny if you believe the actual launch code may have been 00000000 for 20 years. So much for the security of our 160 bit tokens.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »