undefined | Better HN

0 pointsbsuvc8mo ago0 comments

Not impossible, just more difficult to guess.

"Security through obscurity" isn't really good enough.

0 comments

tyre8mo ago

Yes and…

UUIDs aren’t “just more difficult to guess.” They are inconceivably harder to guess.

> Put another way, one would need to generate 1 billion v4 UUIDs per second for 85 years to have a 50% chance of a single collision.

0cf8612b2e1e8mo ago

The security is that your server will crash from overload long before someone can guess the ids.

zarzavat8mo ago

You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.

xeromal8mo ago

I may be a dingleberry but who doesn't use uuidv4 for everything?

2 more replies

hardwaresofton8mo ago

Yes, you are technically right -- I should have said "functionally impossible". It's not actually impossible, but close enough for the average random onlooker.

j / k navigate · click thread line to collapse