Auth0の公式サイトに以下の記述があります。
Security Concerns and Recommendation
Let's take another look at the keys we used to generate the tokens that were cracked easily. What are the key sizes? The first key, Sn1f is 32-bit.
1 character = 8 bits
The second key, secret is 48-bit. This is simply too short to be a valid key. In fact, the JSON Web Algorithms RFC 7518 states that a key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with the HS256 algorithm.
I therefore recommend that anyone trying to generate a JSON Web token and signing them with HS256 to use a properly sized secret key. Auth0 secret keys are 512 bits in length and not susceptible to this type of brute force attack. Additionally, Auth0 allows you to easily sign your JWTs with RS256.
要約すると、ブルートフォースアタックに対処するためにハッシュ出力と同じサイズ(たとえば、「HS256」の場合は256ビット=32文字)以上のキーをHS256アルゴリズムで使用する必要があるとのことです。