is it okay to use random URLs instead of passwords? [closed]

Is it considered "safe" to use URL constructed from random characters like this?

http://example.com/EU3uc654/Photos

I'd like to put some files/picture galleries on a webserver that are only to be accessed by a small group of users. My main concern is that the files should not get picked up by search-engines or curious power-users that poke around my site.

I've set up an .htaccess file, just to notice that clicking on http://user:pass@url/ links doesn't work well with some browsers/email clients, prompting dialogs and warnings messages that confuse my not-too-computer-savy users.


Solution 1:

Whether it is "okay" or not depends on how sensitive the images are.

If you are not using SSL, the URLs, HTML and the images themselves will be cached on your user's computers. This could leak but I would consider it unlikely.

Browser tool bars, especially ones made by companies that run crawlers, such as Alexa and Netcraft, can report visited URLs back to their parent sites, ready for the bot to come and crawl later.

Proper authentication such as HTTP auth or a POST variable should not be cacheable this way or reported back to any parent website.

Another technique is to use unique and short-lived URLs. That way, even if they do leak, it doesn't matter much. Of course, you have to keep updating your legitimate users of the new URLs.

Solution 2:

No, not really, this is just security through obscurity which is no security at all. Anything which is directly accessible from the internet without some form of real protection will be found, indexed and cached.