(no title)
pqdbr | 4 months ago
> What can go wrong with using UUIDv7 Using UUIDv7 is generally discouraged for security when the primary key is exposed to end users in external-facing applications or APIs. The main issue is that UUIDv7 incorporates a 48-bit Unix timestamp as its most significant part, meaning the identifier itself leaks the record's creation time.
> This leakage is primarily a privacy concern. Attackers can use the timing data as metadata for de-anonymization or account correlation, potentially revealing activity patterns or growth rates within an organization. While UUIDv7 still contains random data, relying on the primary key for security is considered a flawed approach. Experts recommend using UUIDv7 only for internal keys and exposing a separate, truly random UUIDv4 as an external identifier.
SahAssar|4 months ago
What experts? For what scenarios specifically? When do they consider time-of-creation to be sensitive?
dgb23|4 months ago
hn_throwaway_99|4 months ago
So then what's the point? How I always did things in the past was use an auto increment big int as the internal primary key, and then use a separate random UUID for the external facing key. I think this recommendation from "experts" is pretty dumb because you get very little benefit using UUIDV7 (beyond some portability improvements) if you're still using a separate internal key.
While I wouldn't use UUIDV7 as a secure token like I would UUIDV4, I don't see anything wrong with using UUIDV7 as externally exposed object keys - you're still going to need permissions checks anyway.
morshu9001|4 months ago
crazygringo|4 months ago
Or where, for some reason, the ID needs to be created before being inserted into the database. Like you're inserting into multiple services at once.
andy_ppp|4 months ago
jagged-chisel|4 months ago
mamcx|4 months ago
themafia|4 months ago
I honestly don't see how.