---
title: Reference Tokens 128-bit Entropy CSPRNG
impact: HIGH
impactDescription: prevents token brute-forcing
tags: tokens, entropy, csprng, session, security
---

## Reference Tokens 128-bit Entropy CSPRNG

Low-entropy tokens can be brute-forced. 128 bits of entropy makes attacks computationally infeasible.

**Incorrect (low entropy tokens):**

```go
// Low entropy
token := fmt.Sprintf("%d", rand.Int63())

// Predictable
token := "session_" + strconv.Itoa(counter)
```

**Correct (high entropy tokens via crypto/rand):**

```go
import (
    "crypto/rand"
    "encoding/base64"
)

func GenerateToken(length int) string {
    b := make([]byte, length)
    if _, err := rand.Read(b); err != nil {
        panic(err)
    }
    return base64.URLEncoding.EncodeToString(b)
}

// 128-bit minimum entropy (16 bytes)
sessionToken := GenerateToken(16)

// 256-bit recommended (32 bytes)
refreshToken := GenerateToken(32)
```

**Entropy levels:**

| Bytes | Bits | Security Level |
|-------|------|----------------|
| 8 | 64 | Weak |
| 16 | 128 | Minimum |
| 32 | 256 | Recommended |

**Tools:** `crypto/rand`, Security Audit
