|
|
|
|
|
|
by Grimburger
1289 days ago
|
|
|
> ULID leaks information about when the user was created How often is this really a bad thing? Are you worried about someone enumerating the entire space of possible ULIDs for every millisecond without ever rate-limiting them? Not many people are building anonymous, privacy-first websites and there's plenty of other ways to determine when a user first started using the site regardless. |
|
|
It's not about guessing user IDs, but about deducting some useful information about them.
For example if an attacker may deduct wether an employee in a company a senior or a new one, and will know when exactly they joined the company.