What are passwords if not difficult to guess strings? It’s usually safer to create a link with 32 random characters than letting users come up with their own passwords such as „qwer1234“.
I disagree. There’s a reason why security by obscurity gets a bad rap. Browsers generally treat passwords as sacred — not saving or logging them unless the user explicitly asks. On the other hand, the URL bar gets saved to history, sent as a referrer when links are clicked (in some browsers), might be sent to an external server by the browser or extensions, etc.
I agree with the part about an URL being less secured than a password. However, it's not security by obscurity. It's just less secure and more convenient. But the URL scheme merely grants you access to a ticket, not the whole account, so the potential damage is negligible.
32 random characters (192 bits of entropy if you assume base64) is a lot more than just "difficult" to find. I'm pretty sure that is not what the article meant by difficult to find pages.
99% of security issues are silly and avoidable in retrospect. I don't think an insecure direct reference (assuming that's what is meant) is really all that different from most XSS, SQLi, etc