Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can generate sequential UUIDs, IIRC, that’s the best way to store them in a db and still have good partitioning/indexing. I don’t use UUIDs often, but I vaguely remember researching this problem space at some point.


I think most languages let you chose which version of UUID you want - with most defaulting to the random version (I think 4?) by default.

There are other versions that are sequential/time-based though, but using these could open the door to de-obfuscating whatever data you wanted to protect via UUID's in the first place (like how many sales orders you receive per hour, etc).


I don’t think uuids are designed for obfuscation, though they certainly help with that as a side effect. I could be wrong though, I’ve never looked into it.


They (randomized type 4 UUID's) obfuscate as a side effect because they are much more difficult to guess due to their randomness. As the article points out though, they are not impossible to guess... but it will come down to your risk tolerance and what the UUID's are "protecting".

People like to reach for UUID's when obfuscation is needed because inventing your own duplicate-aware random string algorithm isn't what most folks want to spend their time thinking about. Plus, these days, many databases come with UUID-aware data types that make using UUID's fairly straight forward.


UUIDs are a vast improvement over integers for preventing simple attacks like +/-ing the id and seeing what happens.


But then you're back to collisions, and you may as well be using longs.


I think v7 uses microseconds since epoch + random data. The odds of a collision should be practically 0, or more likely to find a sha256 collision.


> more likely to find a sha256 collision.

This is obviously, and egregiously, false.


I don't know. You'd need quite a number of threads + machines generating uuids in the exact same microsecond to get an opportunity for a collision. It doesn't seem obviously false.


I didn't say a collision is easy, I said it's obviously false it's harder than colliding a sha256, a space roughly 95780971304118053647396689196894323976171195136475136 times larger.


It /can/ be smaller though, as the probability is linked to the number of global threads generating UUIDs in any given microsecond. Thus if you have enough machines generating UUIDs, you'll have more chances for a collision. Given that it is only possible to generate a collision in a given microsecond, and not globally across ALL TIME, over ∞ time, the probability of a collision(UUID) == 0, while a collision(sha256) == 100%.


Your counter rolls eventually. You're underappreciating how much larger 2^256 is than 2^80 or even 2^128.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: