In case it wasn't obvious in the video, this video is NOT against GUIDs. Distributed systems absolutely need them but distributed systems will probably use NoSQL databases which don't suffer from the problems outlined. Also, of course everything should have proper auth where needed and you shouldn’t rely on unguessable urls. This was never in question and was never brought up as a selling point of the library or the approach. It is assumed to be the bare minimum that you should have. The video is all about how you can keep using sequental IDs internally, if the only reason you wanted to move to GUIDs was the exposure of the data with a concern about losing database performance, without having to worry about exposing guessable ids and opening your system up to potential security problems. Sequential ids, both ints and guids, can give your competitors business intelligence for your system (user/order count, rate of growth etc). We need to acknowledge that there is a huge amount of people that don't work in scaled out, cloud native microservices, and this video is for them. For a video focusing on the practicality and security issues with enumerated entities in URLs check out Tom Scott's video here: kzbin.info/www/bejne/naDGqIWsgc13nJo

Ah, I was wondering why the project was suddenly getting PRs today. I'm the current maintainer, thanks for highlighting this!

A global seed stored in the app's code is usually called "pepper". "Salt" is what differs for every record, and is stored in the datastore.

When you start with "Hello everybody" and your name is Nick, I immediately picture dr. Nick from the Simpsons. Love your videos!

You talk about the security aspect of sequential id's at the beginning, which I appreciate. But if you don't keep the HashId-seed secret, it has basically the same problem, an attacker just needs to decode the hash into a sequential id, increment or decrement and encode again to get another possibly valid hash. Well, eventually, authorization should anyway be enforced in other ways, because hashes, guids and sequential id's can always leak, and that shouldn't give non-authorized people any power in a secure system.

4:36 - The term “hash” and “hashing” long predates crypto as a term of art in computing. It simply refers to the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hash ID perfectly describes this use case and is not even slightly arbitrary in meaning or application. In fact, cryptography is a form of hashing but hashing is not necessarily cryptographic. That is to say, hashing doesn’t necessarily obfuscate the original value. Take, for example, a hashtag. To go full circle, GUIDs and UUIDs are also hashes.

Congrats on the 100K subs, well deserved man!

Congratulations on reaching 100K subscribers.... As usual you present good value and good explanations! Keep up the good work!

Thank you Nick. I really like the idea to hide the real sequentiell integer id. Without drawback of perfomance issues of a guid. Also to be possible to "hash" multiple ids is great. Sometimes you need it. Great explanation also. :-)

Hi Nick, very nice video, I've been also using some other ID format called KSUID (k-sortable unique ID), these are basically smaller for storage than UUID but with more entropy bytes and I really loved them. They are sequential sortable by design, so no encode/decode has to take place. There is support in a various range of programming languages nowadays (originally coming from Go). I would love to see a video on them, too.

Great video as always nick. Please please create a video in optimizing GUIDs as IDs Nick 🙏

Congrats on 100K subscribers. Your videos always give some new knowledge and ideas.

Congrats on reaching 100K, you deserve it! This is a very useful topic, thanks. :)

Interesting. Previously I have used checksums to improve performance when searching strings. More for urls, emails, etc. where you have to store the full thing, but you want more optimal indexing.

Looking forward for the video on guid optimization. Thank you for the video!

It's nice to have options for different types of IDs to be used in different situations. GUIDs are nice sometimes, integers are nice other times. I've really enjoyed Flake IDs in some distributed situations, and hash-based IDs are great for these user-visible URL situations you're describing. Picking the right format of IDs for the right use-cases, and being able to cheaply translate between them when necessary, is important for the good design of many systems.

I'd definitely give this a try on my up comming projects. Thanks for sharing!

I'm growing by every video you release. Thanks for the your efforts towards the community. My kind request - please make book suggestion videos for software design.

It was nice to see you directly saying the outro 😀 And congratulations for the 100k subs, you really deserve it 🎉

I work on a large project where we originally used GUIDs as the primary key in the database, but for DB2 at least, the indexing was horrible because they were basically random and caused a lot of index cache misses. Switching to a sequential ID was the way to go for efficiency. But for exposing to web UIs, we keep a pair of dictionaries in the session state which map numeric IDs to guid and guid to numeric ID. Obviously just for the IDs we need to return to the user. Works pretty well.

Good learning stuff, thanks. Congrats on 100+k subscribers

Hello Nick. thanks for the insights on the hashids. I would love to see how to see the how optimise GUID searches video

Very nice. Didn’t know about this library. Thanks for sharing Nick!

Yes please on the "optimise Guids for RDB" idea! Thanks for the vid.

Yes! I was just thinking about how I might optimize the use of GUIDS as IDs in a NoSql DB.

Your content is gold! Thanks and congrats on 100k!

Hello Nick, very good explanation of the topic! Little note I wanted to add: 1. If performances are not an issue and security is preferred, it is recommended to use standard cryptography algorithms to do exactly what you described here, keeping the sequential indexing power of RDBS, but also obfuscating the ids. Everything done at runtime by a middleware or the endpoints themselves. 2. In performances scenario, perhaps doing maths on huge numbers may be way faster than doing stuff on string as `hashids` is doing, keeping the unpredictable property using `long`. But anyway, the git repo of hashids looks great and the idea is fair interesting to customize the obfuscated ids with custom alphabets. :) Thanks for sharing!

Well done with the 100k subscribers, well deserved. Your videos are excellent. On this topic, you could create a custom binder to decode for you before you hit the action method?

I worked on a project years ago that used nHibernate as the ORM and we had it configured in such a way as to use a specific guid algorithm (I think it was called comb) that generated indexable guids, so it is possible to get database friendly guids. That was actually my first job and we used guids everywhere, felt weird on my next job using ints as PKs

Hi Nick, each video is a incredible class. I from Brazil and try to follow by subtitles.

Very weird to see this in your latest videos when I just implemented this exact solution last week lol. After a very successful prototype it had me wondering where else I can use this in older projects instead of a GUID. Solid video man

Thanks for sharing-- interesting package, certainly worth giving it a shot

Best feeling when u see that nick uploaded a new video😁 Good and interesting topic btw

What a great idea. We've been using GUID and had to add an additional incremental column to get around indexing and paging limitations. Too late to rewrite everything now, but for new projects this is definitely a much better way to go about it.

This is one way to do it, I typically just use a secondary unique index with uuids. My queries/joins use the typical relationship integer ids but I don't expose those as identifiers or in my db code. That is a better way architecturally imho since the monotonic ids are actually leaking your db implementation details, making it harder to swap out your database and the ID generator inside the database becomes a singleton service that is difficult to replace.

Congratulations on 100k!

first of all i don't think that a bad library but in c# their is already a interface called IDataProtectionProvider. which can do the same thing and in terms of memory allocation i think that is also not bad either. also Congrats on the 100K subs.

We use Type 1 UUIDs which are sequential. I believe Cassandra uses them for the clustering key also. Also guaranteed unique with no conversion required. You can also represent the UUID as Base64: "Ej5FZ-ibEtOkVkJmVUQAAA". 22 chars instead of 36.

Great video Nick! I will definitely check this library out! But during the whole video I kept thinking about collisions (with GUIDs you don’t have to worry) especially if you have a disproportionally big amount of data and have configured the library to a short “hash” length. Really nice video though, I’m learning a lot from you and I am inspired by your passion for deep, well explained knowledge.

Great vid! I've been using hashids lots recently and it's worth pointing out that I've had pentesters rule that the hashids library output is guessable. They aren't entirely wrong, if you generate a bunch of them in sequence you will see that a pattern that forms over time. Especially if you limit the alphabet like I recently did to make a hashid more human readable by removing ambiguous letters that could be numbers etc.

A really good library. Thanks for sharing.

Great stuff, thanks Nick!

I use ulids, it has benefit of uuids (non colliding, and okay in distributed systems), and yet you can sort them in order (it uses current time as well), :)

Congrats on 100k subs! I am interested in your thoughts about Twitter Snowflake ID and compare them GUID and maybe hashid. Which one would you choose to build a distributed system. Great video as always.

μπράβο ρε τέλεια τα βίντεο, ο μόνος C# KZbinr που παρακολουθώ!

This is actually GREAT Thank you!!!

In MYSQL , you can store uuid columns as BINARY. MySQL 8 has UUID_TO_BIN() function and vice versa

Hi Nick, Thank you for sharing this very interesting topic. Lot’s of greetings, Dennis 🇳🇱

This came at the right time for me. Thanks Nick.

I know that this video is a bit older, but I just wanted to pass on a big thank you for it! I've always hated exposing key's as int's as you are right, makes it easy to hack the system. Also love you took a moment to look at the cpu cost to use the encoding plugin. Very complete. One question I did walk away with is what is the 'cost' of using guid's as primary keys as to just using int's from your experience? Thanks Again!!

Thank you Nick, great video as always...

I would say that if your API is going to return an object, it should be checking who is requesting it (authentication), and that that user has rights to see that object (authorization / access control). Just knowing the ID generally shouldn't give one access to the object. I haven't looked at the source of this library. (How cryptographicaly secure is it?) However one thing we can see from the examples shown is that *it does leak some information about the size of the ID* . A 32-bit ID (~4.2 billion possible values) (with the value 1) was mapped to two characters in a character set with 52 characters (capital and lowercase letters) (2704 possible value (52^2)) - a reduction from 32 bits of entropy to less than 12. If an attacker knows the algorithm (and depending on them not knowing (security by obscurity) is a bad practice), or just sees one low ID and guesses that others would be the same size, they've only this smaller key space to brute force, in order to find some valid values. If the system accepted 5 requests per second, they could cover those 2704 values in under 10 minutes (or a 12-bit range in under 14 minutes). If you depend on an attacker not knowing an ID (the ID value visible in the API), ideally, it should be *increasing* the size of the ID to something that is clearly infeasible to brute force. A 32-bit key would generally not be considered very secure, but it depends on your application, and how fast the attacker could make requests, and whether they would be locked out after a few invalid ones. Also remember that they don't have to cover the whole ID space to compromise some data. (e.g. if you had 32-bit IDs and your obfuscation function mapped them so that they were randomly distributed over the 32-bit space, and you had 100,000 records (of the same type/class/table) accessible by an ID, then an attacker would find a match after trying 42950 values on average). Another fundamental problem with lack of authorization is that someone who had access to a record at one time, might not be entitled to access it at another time, but they could still know the ID.

Nice content as always! Tbh the security problem is not the id type, the issue is not checking the user access rights. And GUID Ids are usually recommended for distributed DB or merging multiple DB into a data warehouse. Also, to avoid fragmentation, the best approach is to use sequential GUIDs generated by the DBMS.

Hi nick. First congratulations for the 100 k subs and the great content that ur giving to C# community... I have a question: in ur exemple, your data is stored with an int Id and converting it to hash whenever the data is send back to the httpResponse(so the client will see the entities with a hashId). Supposing i want to to store mine with same hashId using this library. Is it ok to generalize it's purpose? (no more encode and decode functions in the controllers). And please do a video for optimizing the Guid type. Thank you.

Could not have come at a better time. I was never a big fan of converting to base64 strings, trimming the non-alpha characters etc. Thanks for the video - the solution is perfect. For anyone using long integers as their keys, you can convert those to a hex string first and then use the EncodeHex and DecodeHex calls from the nuget package.

Been using that library for ages. I highly recommend it

I liked this and was about to use it, but then checked around for alternatives. Found Knuth's hash from ye olden dayes. If you want a quick comparison it generates ints that can be reversed back to the ID instead of strings and is apparently less crackable (though I doubt that matters too much for the use-case). Performance however, Knuth completed my benchmark in 950 ns while HashID took 1,466,137 ns.

I suggest using ULID. They're randomly generated like GUID, but sortable chronologically. This gives the best of both worlds.

Backpack (school app) had a similar issue. Kids pictures were stored by student id and it was accessible publicly.

Hello Nick! :) Thank you for clarification!

I think it bears mentioning that using a system like this is great for a greenfield project where you have never exposed an int ID. However if you have it would be trivial to back into the salt value from a previously known ID converted to a hashid.

Another interesting solution that I saw in Cassandra database is to use timeuuid (guid/uuid which contains time and can be sorted)

Great video as always...I don't understand why you don't have 2M subscribers already...honestly. There must be something you can do to increase your visibility... The sequential hashes are great and all in particular scenarios but fails miserably when doing inserts. I started using Guids as PKs before Jesus wore diapers, for that particular reason. And when moving to distributed environments it makes them even more attractive.

Hey, are you planning on bundling every course together or not? And can we pay in euros or only in pounds? Thanks for great content and congrads on 100k, well deserved.

Yes we want that video sir

It is a kind of relief to see that professionals as Nick codes some silly things as printing peepee poopoo just like me 🤡

That's super cool! I am a JavaScript developer and I honestly like this approach more than GUID/UUIDs. There is a package called *nanoid* which also does the same thing and it would be amazing if you could do a comparison of all three (GUID vs NanoID vs HashID) to generate random ids and check the collision rate of them. Because I heard somewhere that NanoID's arent's really universally unique as GUID or UUID

Thanks Nick, I love it

Very interesting. EF Core uses a sequential guid value generator by default (when using MSSQL) to avoid this problem.

Have been wondering about that security flaw for some time. This really eases resolving it in existing applications.

I love this video, and thanks for highlighting this project. But, since UUIDs are a native datatype for most databases, they are stored in 128 bits internally. So, an alternative to UUIDs for data in flight might be to convert them to base64. You get the advantages of this project plus all the benefits of UUiDs

One thing not covered but peeking my curiosity is if DR = 2 and Ir = 3. If the array of Ids is just a concatenation of individual values I think there is a major reduction in the value of this Lib as it would become much easier to guess values which was kind of the entire point.

Very creative console messages!

Thank you!

Hey Nick, cool package for sure I can see it’s use case. What are your thoughts on the hashid using primitive types and not a value type that encapsulates it’s logic? Also, I would love to hear more on how you optimize the use of GUIDs in your applications as well.

Perfect man💪

An alternative is to have an auto incrementing primary column and a separate GUID column (which is also indexed) that is assigned when the record is created. The GUID is used externally and the uint used internally. No GUID conversion necessary.. no cache or GUID lookup required

Hi, thanks for the video, great idea. However, what would you do if your salt is exposed? In case you just change it then an API will stop working.

I would love to see a video about guid optimization

Please make a video how to optimise GUIDs as Ids

The best thing about uuids is that you know the id before it's committed to the database.

This opened my eyes. On all of our API's we are still using raw ID's. Thank you!

I am interested in performance comparison between hashId and GUID

Yes please to the GUID optimization video.

To which dbms does this apply? In Postgres serial ids might be faster when writing, but for index lookups a random number offers better performance. Is that different for other dbms?

Been using it for years. Great it’s available for almost all popular languages. Also one note to mention, it’s not as efficient in inserting as guid

Pretty cool. Just maybe I'm spoiled, but I'm thinking it would be nice if we didn't have think about any of this, and could just use this kinda package implicitly... Meaning something like - have a model where it's just User.Id on the incoming model, with an attribute to indicate [HashId] and then have a middleware or modelbinder that automatically decodes incoming hashes back into ints... and outgoing ints into hashes

That is cool... I use ints for non-secure URLs, and I try to hide the whole query string for personal data... But i will be grabbing this package...

The primary use of GUIDs is so you don't have to synchronize them. You could have two different places generating them, in completely separate processes,and later you could combine some or all of them without having collisions. Whatever your tip is for it's less than 0.1% of the use cases of guids covered. Yes guids are also pretty good db secrets, but they're not the best for that either. An actual public key and private key is much better, though even more high cost.

I found the easter egg, I knew I would have been rickrolled :) Great Video!

There is a performance tradeoff. Random hash id will lead to fast index fragmentation in DB. So, maybe, sequential guid (UUID v1) is a good alternative.

I like when u said : "A url friendly random looking hash type thing" 😂😂

hi @nickchapsas what do you think about UUID v7 or ULID or Snowflake Id?

Hi Nick Can you make video on Common Generic return method for both success or failure of the API

I might be wrong about this... I thought the most common reason for introducing GUID/UUID was database replication with multiple write replicas. So this seems only be useful in an environment with a single main database for writing and maybe read replicas. That's a tough decision to make upfront development, since it might be the wrong direction after all and changing all indexes afterwards might be very tedious.

is there any performance benchmark between guid vs int?

Nice library, has anyone test the processor consumption on it? I'm kinda paranoid as I have used bcrypt in nodejs couple years ago and turned out it crippled my server when over 1000 concurrent user access my endpoint.

Please enlighten us on Guid optimization and possibly Snowflake Ids. Thanks Nick.

Sick

I just ran the benchmarks Nick outlined in the video and they've made some improvements, about 1-2 ns with no overhead now. (I tested with .NET 7.)