[pinkgolem]

Is that not quit commen for invites/no user account shares?

[javawizard]

Indeed, but one could easily argue that 128 bits of entropy aren't sufficient for a good invite token in the first place.

[pinkgolem]

I am just puzzled why delifue calls something that, as far as I know is pretty standard across the industrie, bad practice

[treve]

There's 2 cases being discussed. A UUIDv7 is a bad secret, but it's fine for many other ids. If I can guess your user id, it shouldn't really matter because your business logic should prevent me from doing anything with that information. If I can guess your password reset token it's a different story because I don't need anything else beyond that token to do damage.

[tracker1]

But the random part of a UUIDv7 is 74 bits... larger than a 64-bit integer of random values. Larger than many systems use in total when generating random keys for such things. Likely a larger number of values than the total number of comments here on HN over a couple decades. It's emphatically NOT guessable.

[treve]

I don't think you'll find many recommendations for key lengths under 128 bits / 16 bytes these days.

[nesarkvechnep]

Because it is?

[skrebbel]

No?