Ask HN: How safe are unique URLs as an authentication method?

Google didn't guess your url. So the way you've set up the question also answers it: safe unless you happen to expose a link to one.

Outside of the safety of URLs (which, in my opinion are not terribly secure); you really should set up a robots.txt file, so that you don't have a repeat occurrence of this.

They can be made pretty secure for those purposes. Most likely what happened in your case was that one of your clients/coworkers/other posted such a URI in a blog/forum/other that Google spiders. As a rule of thumb, GET requests should never add, destroy, or alter data. Spiders won't* follow POST.<p>Here are my thoughts on making these URIs secure:<p>First, always have such a URI on a 72-hour dead clock. You send the URI to the user and it's good until used or 72-hours later. Then they need to generate a new one.<p>Second, make it two factor. Rather than having something.com/reset_pass/12345, have it be something.com/reset_pass/{user_id}/12345. Just another level of protection.<p>Third, use base 62 numbers (0-9, a-z, A-Z). It's something any browser can handle with no special chars. Remember, base is more important than length. A 6-digit, base 62 number will go to greater than 56 billion different combinations. If someone guesses from one of 56 billion numbers, holy sh*t do they deserve to break in. If you're paranoid, make it 10 digits and get over 800 quadrillion combinations. No one is going to brute force that and 10 digits is still small to display.<p>Fourth, you can rate limit by IP address. Set it high - like, 100 attempts per hour limit. Why so high? You don't want to piss off users who are, well, stupid. And to get to 800 quadrillion making 100 attempts per hour would take millions of years - heck, let's say you're so high-profile that they'd put a farm of 100,000 IP addresses on it you're still looking at over a million years.<p>In many ways, these URIs can be made more secure than passwords since most passwords won't be as random or strong. There are some caveats:<p>These URIs will show up in browser histories and your server logs. They are one-time secure things. Once the user has used it, the next time they need such a thing, they need a new URI. If someone gets into your logs, they can see these URIs and reset peoples passwords unless they expire on use. Same with browser history.<p>As I've mentioned, they can be posted. Users post things they shouldn't all the time (including passwords). Have it time out so it's only a breach for a short period.<p>Don't use it as a replacement for user/pass. Just don't. If the same URI stays good, it is insecure.<p>Good luck!