---
title: Use High Entropy for Tokens
impact: HIGH
impactDescription: ensures tokens are unpredictable and cannot be guessed
tags: security, tokens, entropy
---

## Use High Entropy for Tokens

Always use cryptographically secure random values (CSPRNG) with sufficient entropy (at least 128 bits) for all security tokens.

**Incorrect (low entropy):**

```ruby
token = rand(10**10).to_s # Not long enough and not secure
```

**Correct (High entropy):**

```ruby
require 'securerandom'
token = SecureRandom.hex(32) # 256 bits of entropy
```

**Tools:** Brakeman, SecureRandom
---