Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

4
  • Using a UUID (or GUID) means you don't have to check for duplicates - the 'U' stands for Unique, and is part of the guarantee of a UUID or GUID. But a UUID doesn't necessarily offer a guarantee of unpredictability. A cryptographically secure pseudo-random number generator (CSPRNG) used to generate a sufficient number of bits provides both. Commented Dec 14, 2015 at 19:31
  • @JohnDeters Most UUIDs are type 5 UUIDs, which are just random numbers with a "this is a random number" indicator tacked on. Commented Dec 14, 2015 at 20:09
  • I agree. RFC section 6. Security Considerations, begins with: "Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example." But if you use a CSPRNG to generate a large enough number, it will be hard to guess. A hash of a photo is not a suitable seed for a CSPRNG. Commented Dec 14, 2015 at 21:20
  • 1
    @immibis, you are free to refrain from editing other answers if you prefer -- but it's not exactly Stack Exchange policy. See security.stackexchange.com/help/editing and security.stackexchange.com/help/privileges/edit. If you feel that my edits did not improve your answer or made it worse, you have the power to roll the edits back. (Personally, I felt that my edit is an improvement, and after adding the additional caveats I added in my edit, this becomes the best answer to the question... but feel free to form your own opinion.) Commented Dec 14, 2015 at 23:42