Give me a break -- we're just arguing semantics at this point. My whole premise was that tokens are a secret, just like passwords are a secret, and that tokens should be treated like a first-class secret. Not that they're absolutely "the same." The article gives the illusion that Simple Random Tokens are safe to store as plain text. I was arguing that it's not, and that the token should be ran through an HMAC function at the very least to prevent plain text storage and to harden against timing attacks when querying. Nowhere was I implying that passwords and tokens are strictly identical in all aspects. I've worked at places where tokens are stored in plain text (i.e. almost everywhere I've worked) and it's a bad practice.
This is not true at all. This whole discussion is pretty confused. All of the mitigations we apply to passwords are premised on passwords being (1) cryptographically weak, (2) irrevocable, and (3) infectious to other systems. Nerds are, for reasons I will never understand, hyperfixated on "salting". Randomized password hashes primarily address an old attack that is more or less irrelevant to any modern hash or KDF. But that attack, too, mattered because (1), (2), and (3) hold for passwords.
Semantically these are very different objects/concepts
Passwords:
- tightly couple authentication (I am kortex) and authorization (I can do everything logged-in kortex can do)
- not meant to be rotated unless breached (forced password rotation mandates weaken passwords, imho)
- are passwords meant for human transport, if even briefly
- hard to revoke (once expired, still valid until user rotates)
- usually insufficient entropy, dependent on user habits
- one flavor: a secret string
Tokens:
- decouple authentication and authorization
- ephemeral
- revokable
- enable automatic rotation (session tokens vs auth tokens)
- can have metadata
- as much entropy as you want
- many flavors