![]() Cuid was created to solve the issue of untrustworthy entropy in id generators that led to frequent id collisions and related problems in production applications. For many years, Chromium's Math.random() wasn't very random at all. For example, there may be bugs in browser CSPRNGs. ![]() For example, it's not a good idea to trust your browser's "Cryptographically Secure" Psuedo Random Number Generator (CSPRNG) (used in tools like uuid and nanoid). Not all security measures should be considered equal. There are too many things that can go wrong when they're not, and insecure ids can cause problems in unexpected ways, including unauthorized user account access, unauthorized access to user data, and accidental leaks of user's personal data which can lead to catastrophic effects, even in innocent-sounding applications like fitness run trackers (see the 2018 Strava Pentagon breach and PleaseRobMe). Ids should be secure by default for the same reason that browser sessions should be secure by default. log ( isCuid ( createId ( ) ), // true isCuid ( 'not a cuid' ), // false ) Trusted By High performance tight loops, such as render loops (if you don't need cross-host unique ids or security, consider a simple counter for this use-case, or try Ulid or NanoId).Sequential ids (see the note on K-sortable ids, below).For unique ids, the fastest runner loses the security race. ![]() But not too fast: If you can hash too quickly you can launch parallel attacks to find duplicates or break entropy-hiding.Fast and convenient: No async operations.URL and name-friendly: No special characters.Offline-compatible: Generate ids without a network connection.Horizontally scalable: Generate ids on multiple machines without coordination.Collision resistant: It's extremely unlikely to generate the same id twice (by default, you'd need to generate roughly 4,000,000,000,000,000,000 ids ( sqrt(36^(24-1) * 26) = 4.0268498e+18) to reach 50% chance of collision.).Cuid2 uses multiple, independent entropy sources and hashes them with a security-audited, NIST-standard cryptographically secure hashing algorithm (Sha3). Secure: It's not feasible to guess the next id, existing valid ids, or learn anything about the referenced data from the id.Need unique ids in your app? Forget UUIDs and GUIDs which often collide in large apps. Secure, collision-resistant ids optimized for horizontal scaling and performance.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |