How hard is it to hack the JWT HS256 algo?


By convention, I see a lot of folks using this approach to generate a private key from a nodejs console:

require('crypto').randomBytes(64).toString('hex') 

But considering I could input other values besides 0-9 and A-Z, I wondered if my key would be more secure if I used other non hex-only characters?

Second, if my key is 64 bytes for the HS256 algo., how much time would it take an attacker to brute force the signature? My JWTs are only valid for 15 minutes, but that doesn’t stop an attacker from logging in, grabbing an access-token and brute forcing it.

My JWTs maintain 3 claims that I don’t encrypt — the email address of the user, the user’s ID (which never changes) and a boolean value. I was considering appending to my key the hash value of the user’s ID so that brute forcing the key (if successful) would only yield the password for that one user as the attacker would likely not realize that I appended the hash of the user’s ID.

I’m just concerned that JWTs aren’t as secure as session IDs in a cookie as I can control how many requests an attacker can make from my endpoints but can’t control a brute force against an offline verify.