Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I believe the concern is if your primary key in the database is a serial number it might be exposed to users unless you do extra work to hide that ID from any external APIs and if there are any flaws in your authorization checks it can allow enumeration attacks exposing private or semi-private info. With UUIDs being virtually unguessable that makes it less of a concern.


uuid7 is still guessable though, as the article says. The assumption is that these are internal only PKs.


There is a big difference though. Serial keys allow attackers to guess the rate at which data is being added.

UUID7 allows anyone to know the time of creation, but not how many records have been created (approximately) in a particular time frame. It leaks data about the record itself, but not about other records.


Far, far less than sequential Ids, and the random part is some pretty big values numerically... I mean there's billions of possible values for every MS on the generating server... you aren't going to practically "guess" at them.


Guessable with 80 bits of entropy?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: