Yes and… UUIDs aren’t “just more difficult to guess.” They are inconceivably har...

0cf8612b2e1e · 2025-07-12T00:48:26 1752281306

The security is that your server will crash from overload long before someone can guess the ids.

zarzavat · 2025-07-12T00:49:49 1752281389

You are both right. UUIDs, if randomly generated from a CSPRNG are impossible to guess. But not all UUIDs are generated from a secure RNG, or use randomness at all.

xeromal · 2025-07-12T01:14:58 1752282898

I may be a dingleberry but who doesn't use uuidv4 for everything?

cobbal · 2025-07-12T01:59:58 1752285598

UUIDv4 may or may not use a cryptographically secure random number generator. Python's UUID library, for example, falls back to the insecure 'random' module. Given a handful of outputs, it's possible to predict future ones.

maple3142 · 2025-07-12T03:47:59 1752292079

For python specifically, the uuid4 function does use the randomness from os.urandom, which is supposed to be cryptographically random on most platforms.

shakna · 2025-07-12T04:07:08 1752293228

Uh... Come again?

    def uuid4():
        """Generate a random UUID."""
        return UUID(bytes=os.urandom(16), version=4)

https://github.com/python/cpython/blob/3.13/Lib/uuid.py

cobbal · 2025-07-12T17:56:20 1752342980

Nice. Looks like I was looking at an old version of the file. https://github.com/python/cpython/commit/09ba98436444d2a4e11...

shakna · 2025-07-13T00:26:53 1752366413

Yeah, Python went through a big shakeup around secure randomness when they put together the "secrets" library, around a decade ago. A lot of that also got backported on most OSs.

So there really shouldn't be anyone using that today, thankfully.

0cf8612b2e1e · 2025-07-12T02:09:42 1752286182

Gasp! I had no idea about the Python implementation. Not that I do anything where it would matter (just need a random id), but for an already slow language, I would prefer the safer default.

hardwaresofton · 2025-07-12T01:30:28 1752283828

UUIDv7 indexes better in databases