Comment by zarzavat

6 days ago

You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.

9 comments

zarzavat

xeromal 6 days ago

I may be a dingleberry but who doesn't use uuidv4 for everything?

cobbal 6 days ago
UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.
- maple3142 6 days ago
  
  For python specifically, the uuid4 function does use the randomness from os.urandom, which is supposed to be cryptographically random on most platforms.
- shakna 6 days ago
  
  Uh... Come again?
  def uuid4(): """Generate a random UUID.""" return UUID(bytes=os.urandom(16), version=4)
  https://github.com/python/cpython/blob/3.13/Lib/uuid.py
  
  3 replies →
- 0cf8612b2e1e 6 days ago
  
  Gasp! I had no idea about the Python implementation. Not that I do anything where it would matter (just need a random id), but for an already slow language, I would prefer the safer default.
hardwaresofton 6 days ago

UUIDv7 indexes better in databases