alphaspirit - Fotolia

Are long URLs better for security than short URLs?

Shortened URLs are weak on security and easy for attackers to inject with malware. Expert Judith Myerson discusses how long URLs are more secure, despite the inconvenience.

My organization has created a URL for a Google Doc for others to share. The URL contains more than 100 characters. Are there security issues in shortening the URL to six characters? Are there benefits to having long URLs?

Short URLs are designed for convenience, not for security. They contain a domain -- such as goog.le -- and five or six tokens.

Long URLs of 100 tokens or more are difficult to remember. They need to be copied and pasted from an email's message block into the URL address field. However, Twitter, for example, limits its users to 120 characters. Also, it is easier for users to remember a short URL and type it in the URL address field.

Friends and trusted collaborators use short URLs to share Google Docs and Sheets on desktops, tablets and smartphones. Users are not required to use passwords to view and edit these files. When using mapping services, users share locations and directions between, for example, home residences and medical facilities or physician offices.

An attacker can scan short URLs using brute-force searches. When the attacker discovers a short URL, running it exposes the long URL in plain view text. This exposure enables the attacker to inject, for example, malware into editable Microsoft Word and Excel files and scripts for images and videos. 

Microsoft OneDrive and Google Drive are two primary cloud storage services that generate long URLs. Cloud-stored files are automatically copied to a user's personal computers, tablets and other devices. These include files the attacker injected with malware in the cloud.

Beginning in September of 2015, newly created short URLs for Google Maps have a token of 11 or 12 characters. This makes it more difficult and time-consuming for the attacker to scan the URLs by brute-force, discover a short URL and exploit the content behind it.

On March 2016, Microsoft removed the shorten link option from OneDrive. All previously generated short URLs are vulnerable to scanning and malware injection.

Longer tokens in short URLs are not available for Google Docs and Sheets. Enterprises and users should continue to use long URLs.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to detect malicious shortened URLs

Discover the security risks of URL-shortening services

Find out how to prevent data loss in Office 365

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing