Comment by tyre
7 months ago
Yes and…
UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.
> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.
The security is that your server will crash from overload long before someone can guess the ids.
You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.
I may be a dingleberry but who doesn't use uuidv4 for everything?
UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.
6 replies →
UUIDv7 indexes better in databases