Comment by cobbal

6 days ago

UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.

6 comments

cobbal

maple3142 6 days ago

For python specifically, the uuid4 function does use the randomness from os.urandom, which is supposed to be cryptographically random on most platforms.

shakna 6 days ago

Uh... Come again?

    def uuid4():
        """Generate a random UUID."""
        return UUID(bytes=os.urandom(16), version=4)

https://github.com/python/cpython/blob/3.13/Lib/uuid.py

cobbal 5 days ago
Nice. Looks like I was looking at an old version of the file. https://github.com/python/cpython/commit/09ba98436444d2a4e11...
- shakna 5 days ago
  
  Yeah, Python went through a big shakeup around secure randomness when they put together the "secrets" library, around a decade ago. A lot of that also got backported on most OSs.
  So there really shouldn't be anyone using that today, thankfully.
sergeyprokhoren 6 days ago

[dead]

0cf8612b2e1e 6 days ago

Gasp! I had no idea about the Python implementation. Not that I do anything where it would matter (just need a random id), but for an already slow language, I would prefer the safer default.