← Back to context

Comment by tyre

6 days ago

Yes and…

UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.

> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.

11 comments

tyre

Reply
zarzavat  6 days ago

You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.

  • xeromal  6 days ago

    I may be a dingleberry but who doesn't use uuidv4 for everything?

    • cobbal  6 days ago

      UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.

      6 replies →