Is the Id still guessable even I have provided my own alphabet?
Rookian opened this issue · comments
Is the Id still guessable even if have provided my own alphabet?
Is there a way to make the generated Id secure (e.g. using a salt)?
Hi @Rookian. The IDs aren't going to be "guessable" in the sense that there won't be a recognizable pattern between consecutive numbers, but keep in mind that libraries like Sqids and Hashids are generally primarily used for aesthetic purposes, and even though they do also provide a decent level of obfuscation — meaning 99% of ordinary users won't be able to figure out the numbers behind your IDs, and won't be able to increment them — if someone is really determined, they can still technically decode your numbers; because after all, Sqids/Hashids are not encryption algorithms (that would make them slow) and they don't claim to be.
If the sorts of things you're encoding with Sqids/Hashids are so sensitive that you simply can't afford the possibility of them being decoded by someone else, then what you really need is a proper encryption algorithm (e.g. AES, RSA, etc.), and Sqids/Hashids may not be suitable for your use case.