Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are long URLs better for security than short URLs?

Shortened URLs are weak on security and easy for attackers to inject with malware. Expert Judith Myerson discusses how long URLs are more secure, despite the inconvenience.

My organization has created a URL for a Google Doc for others to share. The URL contains more than 100 characters....

Are there security issues in shortening the URL to six characters? Are there benefits to having long URLs?

Short URLs are designed for convenience, not for security. They contain a domain -- such as goog.le -- and five or six tokens.

Long URLs of 100 tokens or more are difficult to remember. They need to be copied and pasted from an email's message block into the URL address field. However, Twitter, for example, limits its users to 120 characters. Also, it is easier for users to remember a short URL and type it in the URL address field.

Friends and trusted collaborators use short URLs to share Google Docs and Sheets on desktops, tablets and smartphones. Users are not required to use passwords to view and edit these files. When using mapping services, users share locations and directions between, for example, home residences and medical facilities or physician offices.

An attacker can scan short URLs using brute-force searches. When the attacker discovers a short URL, running it exposes the long URL in plain view text. This exposure enables the attacker to inject, for example, malware into editable Microsoft Word and Excel files and scripts for images and videos.

Microsoft OneDrive and Google Drive are two primary cloud storage services that generate long URLs. Cloud-stored files are automatically copied to a user's personal computers, tablets and other devices. These include files the attacker injected with malware in the cloud.

Beginning in September of 2015, newly created short URLs for Google Maps have a token of 11 or 12 characters. This makes it more difficult and time-consuming for the attacker to scan the URLs by brute-force, discover a short URL and exploit the content behind it.

On March 2016, Microsoft removed the shorten link option from OneDrive. All previously generated short URLs are vulnerable to scanning and malware injection.

Longer tokens in short URLs are not available for Google Docs and Sheets. Enterprises and users should continue to use long URLs.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to detect malicious shortened URLs

Discover the security risks of URL-shortening services

Find out how to prevent data loss in Office 365

This was last published in September 2017

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about long versus short URLs?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close