How unlikely is it that a Google Doc link is guessed?

Assuming the document ID distribution is uniform and unpredictable, here's the math:

  • 44 characters long
  • Uppercase, lowercase, digits and underscore =
    26 + 26 + 10 + 1 = 63 character alphabet

Therefore:
Total possible combinations: 6344
keyspace: 263 bits ⇐ 44 * log2(63)

And we know that brute-forcing a 263-bit key in any reasonable amount of time (lifetime of the universe) is well beyond what the laws of physics will allow, no matter how advanced and magical and "quantum" the computers may become.

This may seem a bit bold an assertion, but it comes from the fact that the sun simply doesn't put out enough energy in such a timeframe to count that high. See page 157 of Schneier's Applied Cryptography for the details, or look at this answer here where I summarized the math, or this answer where lynks quoted the entire section from Schneier's book.

Specifically, the sun's energy is only sufficient to count to 2187 per year, meaning it will take 276 years with our own sun, 275 years if we could harness 2 suns, etc. You might barely have enough power to count to 2256 if you were to power your computer with the supernova destruction of every star in the Milky Way Galaxy. So that's getting somewhere.


While it still may take a very large time to bruteforce (close to infinity), it is not really smart to keep confidential documents protected that way. If you don't care who reads it then it doesn't matter. But I wouldn't put the specifications of your latest project on Google Docs.

You are also risking the fact that the links may leak, when authentication is needed you can still prevent people from accessing your file. If, however, authentication is not forced, anyone that can get its hands on the link, can view the document.


I'd be more likely to try and make sure all my users had google logins and had permissions on the document folder - there's shades of grey between "wide open" and "add each permission individually".

Apocryphally I have seen "patterns" in docs links - so I remain unconvinced about the level of security provided, though I would not like to try and break in myself!

Also, be aware of "link lying around" attacks - someone mentioned browsers remembering it, there's also caches, web proxy logs, url shorteners, search engines, email forwarding... al sorts of dubious ways the link could spread, likely to people who may find it "useful".

Worse, using the "all open" method, you don't know if someone's poking about, and if they do, applying more security after the fact will suck doublehard.