Ok; salt, and then hash your bucket names

that doesn't help either. 'Salt' is public and usually different/unique per entry/name.

If you mean to use a "secret" prefix (i.e. pepper) then, that would generate effectively globally unique names each time (and unpredictable too) but you can't change the pepper and it's only a matter of time it'd leak.

	▲	tosti an hour ago \| parent \| next [-]
		Random pepper. Or just, y'know, randomly generate the effing string. Can't be that hard.
	▲	lcnPylGDnU4H9OF an hour ago \| parent \| prev [-]
		If they can't make the bucket before you do then they are not "bucket squatting", and they can't do so for a salted and hashed bucket name without knowing the salt at runtime. The public/private distinction seems moot here, too: the salt is a throwaway since you just need the bucket name. Even if you do need to keep track of the salt, it should be safe for the attacker to know, at least with respect to this attack, because you already own the bucket which the attacker would otherwise hoard.