UUID Security Guide: Are UUIDs Safe to Use as Public Identifiers?
Assess UUID security for public APIs and URLs. Learn the risks of predictable v1 UUIDs, enumeration attacks, and when to use opaque tokens instead.
Published:
Tags: developer-tools, uuid, security
UUID Security Guide: Are UUIDs Safe to Use as Public Identifiers? Developers often use UUIDs as resource identifiers in URLs and APIs: . The assumption is that because the ID is unguessable, it is safe to expose. That assumption is correct for UUID v4 — but it breaks for v1, v3, and v5, and it does not eliminate all security risks. This guide explains precisely when UUIDs are safe and when they are not. UUID v4: Random Guessing Infeasibility UUID v4 has 122 bits of random entropy. An attacker attempting to guess a valid UUID must find a value in a set of 2^122 ≈ 5.3 × 10^36 possibilities. To brute-force guess one valid UUID in a system with one million records: Probability of a single guess being valid: 10^6 / 5.3 × 10^36 ≈ 1.9 × 10^-31 At one billion guesses per second: expected time to…
All articles · theproductguy.in