The average Google Docs link has more entropy than the average username/password combination. So unless you want to argue that everything online is public to some extent, I don't think your claim makes much sense.
the google docs links arent stateless logins, you cant login to google as me because you guessed the hash of my word doc (or more likely, I gave it to you).
A password is not a magic spell. It's a set of letters and numbers that, if guessed correctly, will give me access to something you wanted kept private.
An obfuscated URL is a set of letters and numbers that, if guessed correctly, will give me access to something you wanted kept private.
Because one uses a MySQL database, and the other uses a file system, is irrelevant. They are functionally identical when directory listing is disabled, as it can be for Amazon S3.
I'd be interested in knowing what the length a hash needs to be to communicate "you should not attempt to circumvent this and post the nude pictures behind it", and also how secure a lock needs to be to communicate "you should not attempt to jimmy this with a credit card and post the nudie pictures behind it."
Well, to tell the truth, if there's a 'lock', it's pretty obvious you shouldn't be doing it. If there's just a hash, it strikes me as simply a bad idea in the first place, no matter how long it is. Someone can just do 'copy image url' and have it work, with no challenge from the application. A shorter hash is especially bad because it makes them easy to guess at. I'm not saying it's "right" to copy images protected only with a hash, but it's like leaving an expensive bicycle unlocked on a college campus in the US - it's simply not very prudent. Of course in this case the users probably weren't aware of the problem, and the people who made the application are at fault.
Edit: like daleharvey says, the point is really that the hash simply happens to be difficult to find, whereas a proper application will challenge everyone who attempts to access the resource. For instance, say Alice looks at Bob's picture, and does "copy image url", and sends it to Carol. Carol has no way of knowing whether it's supposed to be private or not, since Alice didn't communicate that information.
A password can usually be changed if compromised, and a password system usually contains measures to prevent brute-forcing; like cooldown times and a lockout after three guesses for example.
If you build those same measures into your URL then they have the same level of security; plus you can make your URL key a lot longer than would be comfortable for a password.
its not about filesystem vs database, where the data is stored is arbitrary, its about how much information you need to access it, apart from the increased entropy in using 2 bits of information (a username + a password (depending on the link size)), you can also implement things like locking accounts when someone guesses the password wrong X times, something that is impossible with a single entry point.
