惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

Reorx’s Forge

My OpenClaw Desperately Needs a DevOps Agent OpenClaw Is Changing My Life Rabbit R1 - The Upgraded Replacement for Smart Phones Debounce and Throttle | Reorx’s Forge Window Opener for Chrome | Reorx’s Forge 用 AI 工具快速撰写分享型推文 | Reorx’s Forge A Message to GPT-API Product Makers 谈谈我对 ChatGPT 应用的 prompt 的看法 ChatGPT Proofreader extension for Popclip 思考生活与生命在英语中的区别 | Reorx’s Forge Some random thoughts on Generative AI 《风暴英雄》对我的意义 | Reorx’s Forge The debut of Substance: A HTML-to-Markdown extractor 「荒木型」与「三浦型」创作者 | Reorx’s Forge 离开国产 SaaS | Reorx’s Forge Defeat VSCode Tab Bar | Reorx’s Forge 真正的好作品只能靠自己去发现 | Reorx’s Forge 我用过的位置追踪应用 | Reorx’s Forge 浅谈 Chrome Manifest V3 的优缺点 为什么人们在黄图群喜欢聊哲学 | Reorx’s Forge 并不乐观的全球化 | Reorx’s Forge 童年的 Disco | Reorx’s Forge Kevin Kelly 对创作者的指导 | Reorx’s Forge 不换房了,继续向前 | Reorx’s Forge State of Play September 2022 如何寻找一个理想的租房 | Reorx’s Forge 停不下来的创业者——得知 Figma 被 Adobe 收购有感 大公司为何不愿意做好用的产品? | Reorx’s Forge 我的 10 月新番表 | Reorx’s Forge 使用 Railway 和 Supabase 零成本搭建 n8n 自动化平台 分体式键盘 | Reorx’s Forge 关于 Essays 的说明 | Reorx’s Forge 要不要回互联网公司上班? | Reorx’s Forge 2022 年 9 月苹果发布会观后感 | Reorx’s Forge 2022 年 7 月和 8 月总结 种草无线便携路由器 | Reorx’s Forge 更换博客评论系统 | Reorx’s Forge 使用自动化工作流聚合信息摄入和输出 | Reorx’s Forge 我关注的独立开发者们 | Reorx’s Forge 我理想中的 Newsletter platform | Reorx’s Forge 搭建 umami 收集个人网站统计数据 | Reorx’s Forge Frontend Guide 01: Webpack babel-loader 使用指南 Google I/O 2022 Web Platform 新特性展示观看笔记 PyYAML 使用技巧 | Reorx’s Forge Tips that may save you from the hell of PyYAML 重新开始使用 RSS 阅读器 | Reorx’s Forge 我的 Vim 自动补全配置变迁史 | Reorx’s Forge 使用 Sonarr 搭建自动化追番系统 | Reorx’s Forge Switch open files quickly in Obsidian A look into Heptabase's split writing experience
“Moving away from UUIDs”, Really?
Reorx · 2022-11-23 · via Reorx’s Forge

Recently I saw an article called Moving away from UUIDs – Neil Madden on Hacker News. The title immediately got my attention since I use UUIDs a lot in various projects, no matter personal or commercial. Whether I’m using it right or wrong is a vital concern from an engineering perspective, so I read it thoroughly and carefully. This article is my summary and thoughts on it.

Overall, the author gives an opinion that using UUIDs for unguessable random string like session tokens or cookies is a bad practice, the reasons are as follows:

  1. UUID is insecure in cryptography. In some situations, an attacker can take only 35 minutes to brute-force guess a valid result.
  2. UUID is inefficient in storing data. Because of its hexadecimal format and the use of extra dashes, a UUID takes 36 characters to represent 16 bytes of data.

As a replacement, the author suggests to use a 20 bytes random string that is URL-safe base64-encoded. Here’s an example comparing with an UUID string:

20 bytes base64 random: Xl3S2itovd5CDS7cKSNvml4_ODA
UUID                  : 5a097fe7-1720-457c-8363-8d660a65bab2

The advantages over UUIDs are:

  1. A 20 bytes random value is almost impossible to guess in a reasonable time.
  2. The length of the string is just 224 characters, resulting in much less storage space than UUIDs.

Generally speaking, I think although the conclusion of not using UUIDs for tokens is correct, the assumption is totally wrong. UUID (Universally unique identifier) as the name says, is an ID which should not be used for cryptographic purposes in the first place. The proper scenario for UUIDs is using it as primary keys in distributed systems, in which it prevents collisions without relying on a centralized identity generator. In contrast, random string has no way to achieve that.

I did learn something new from this article, but it failed to give me anything useful upon my understanding of how UUIDs should be used.

Do not write clickbait posts, as being neutral and accurate is a virtue for engineers.