In case it wasn't obvious in the video, this video is NOT against GUIDs. Distributed systems absolutely need them but distributed systems will probably use NoSQL databases which don't suffer from the problems outlined. Also, of course everything should have proper auth where needed and you shouldn’t rely on unguessable urls. This was never in question and was never brought up as a selling point of the library or the approach. It is assumed to be the bare minimum that you should have. The video is all about how you can keep using sequental IDs internally, if the only reason you wanted to move to GUIDs was the exposure of the data with a concern about losing database performance, without having to worry about exposing guessable ids and opening your system up to potential security problems. Sequential ids, both ints and guids, can give your competitors business intelligence for your system (user/order count, rate of growth etc). We need to acknowledge that there is a huge amount of people that don't work in scaled out, cloud native microservices, and this video is for them. For a video focusing on the practicality and security issues with enumerated entities in URLs check out Tom Scott's video here: kzbin.info/www/bejne/naDGqIWsgc13nJo

Ah, I was wondering why the project was suddenly getting PRs today. I'm the current maintainer, thanks for highlighting this!

A global seed stored in the app's code is usually called "pepper". "Salt" is what differs for every record, and is stored in the datastore.

When you start with "Hello everybody" and your name is Nick, I immediately picture dr. Nick from the Simpsons. Love your videos!

Congrats on the 100K subs, well deserved man!

You talk about the security aspect of sequential id's at the beginning, which I appreciate. But if you don't keep the HashId-seed secret, it has basically the same problem, an attacker just needs to decode the hash into a sequential id, increment or decrement and encode again to get another possibly valid hash. Well, eventually, authorization should anyway be enforced in other ways, because hashes, guids and sequential id's can always leak, and that shouldn't give non-authorized people any power in a secure system.

Hi Nick, very nice video, I've been also using some other ID format called KSUID (k-sortable unique ID), these are basically smaller for storage than UUID but with more entropy bytes and I really loved them. They are sequential sortable by design, so no encode/decode has to take place. There is support in a various range of programming languages nowadays (originally coming from Go). I would love to see a video on them, too.

I work on a large project where we originally used GUIDs as the primary key in the database, but for DB2 at least, the indexing was horrible because they were basically random and caused a lot of index cache misses. Switching to a sequential ID was the way to go for efficiency. But for exposing to web UIs, we keep a pair of dictionaries in the session state which map numeric IDs to guid and guid to numeric ID. Obviously just for the IDs we need to return to the user. Works pretty well.

4:36 - The term “hash” and “hashing” long predates crypto as a term of art in computing. It simply refers to the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hash ID perfectly describes this use case and is not even slightly arbitrary in meaning or application. In fact, cryptography is a form of hashing but hashing is not necessarily cryptographic. That is to say, hashing doesn’t necessarily obfuscate the original value. Take, for example, a hashtag. To go full circle, GUIDs and UUIDs are also hashes.

Great video as always nick. Please please create a video in optimizing GUIDs as IDs Nick 🙏

Thank you Nick. I really like the idea to hide the real sequentiell integer id. Without drawback of perfomance issues of a guid. Also to be possible to "hash" multiple ids is great. Sometimes you need it. Great explanation also. :-)

Congratulations on reaching 100K subscribers.... As usual you present good value and good explanations! Keep up the good work!

It was nice to see you directly saying the outro 😀 And congratulations for the 100k subs, you really deserve it 🎉

Hello Nick, very good explanation of the topic! Little note I wanted to add: 1. If performances are not an issue and security is preferred, it is recommended to use standard cryptography algorithms to do exactly what you described here, keeping the sequential indexing power of RDBS, but also obfuscating the ids. Everything done at runtime by a middleware or the endpoints themselves. 2. In performances scenario, perhaps doing maths on huge numbers may be way faster than doing stuff on string as `hashids` is doing, keeping the unpredictable property using `long`. But anyway, the git repo of hashids looks great and the idea is fair interesting to customize the obfuscated ids with custom alphabets. :) Thanks for sharing!

Hi Nick, each video is a incredible class. I from Brazil and try to follow by subtitles.

This is one way to do it, I typically just use a secondary unique index with uuids. My queries/joins use the typical relationship integer ids but I don't expose those as identifiers or in my db code. That is a better way architecturally imho since the monotonic ids are actually leaking your db implementation details, making it harder to swap out your database and the ID generator inside the database becomes a singleton service that is difficult to replace.

Congrats on reaching 100K, you deserve it! This is a very useful topic, thanks. :)

Congrats on 100K subscribers. Your videos always give some new knowledge and ideas.

We use Type 1 UUIDs which are sequential. I believe Cassandra uses them for the clustering key also. Also guaranteed unique with no conversion required. You can also represent the UUID as Base64: "Ej5FZ-ibEtOkVkJmVUQAAA". 22 chars instead of 36.

first of all i don't think that a bad library but in c# their is already a interface called IDataProtectionProvider. which can do the same thing and in terms of memory allocation i think that is also not bad either. also Congrats on the 100K subs.

Yes please on the "optimise Guids for RDB" idea! Thanks for the vid.

Nice content as always! Tbh the security problem is not the id type, the issue is not checking the user access rights. And GUID Ids are usually recommended for distributed DB or merging multiple DB into a data warehouse. Also, to avoid fragmentation, the best approach is to use sequential GUIDs generated by the DBMS.

It's nice to have options for different types of IDs to be used in different situations. GUIDs are nice sometimes, integers are nice other times. I've really enjoyed Flake IDs in some distributed situations, and hash-based IDs are great for these user-visible URL situations you're describing. Picking the right format of IDs for the right use-cases, and being able to cheaply translate between them when necessary, is important for the good design of many systems.

Interesting. Previously I have used checksums to improve performance when searching strings. More for urls, emails, etc. where you have to store the full thing, but you want more optimal indexing.

I use ulids, it has benefit of uuids (non colliding, and okay in distributed systems), and yet you can sort them in order (it uses current time as well), :)

I'm growing by every video you release. Thanks for the your efforts towards the community. My kind request - please make book suggestion videos for software design.

Great vid! I've been using hashids lots recently and it's worth pointing out that I've had pentesters rule that the hashids library output is guessable. They aren't entirely wrong, if you generate a bunch of them in sequence you will see that a pattern that forms over time. Especially if you limit the alphabet like I recently did to make a hashid more human readable by removing ambiguous letters that could be numbers etc.

It is a kind of relief to see that professionals as Nick codes some silly things as printing peepee poopoo just like me 🤡

Good learning stuff, thanks. Congrats on 100+k subscribers

I would say that if your API is going to return an object, it should be checking who is requesting it (authentication), and that that user has rights to see that object (authorization / access control). Just knowing the ID generally shouldn't give one access to the object. I haven't looked at the source of this library. (How cryptographicaly secure is it?) However one thing we can see from the examples shown is that *it does leak some information about the size of the ID* . A 32-bit ID (~4.2 billion possible values) (with the value 1) was mapped to two characters in a character set with 52 characters (capital and lowercase letters) (2704 possible value (52^2)) - a reduction from 32 bits of entropy to less than 12. If an attacker knows the algorithm (and depending on them not knowing (security by obscurity) is a bad practice), or just sees one low ID and guesses that others would be the same size, they've only this smaller key space to brute force, in order to find some valid values. If the system accepted 5 requests per second, they could cover those 2704 values in under 10 minutes (or a 12-bit range in under 14 minutes). If you depend on an attacker not knowing an ID (the ID value visible in the API), ideally, it should be *increasing* the size of the ID to something that is clearly infeasible to brute force. A 32-bit key would generally not be considered very secure, but it depends on your application, and how fast the attacker could make requests, and whether they would be locked out after a few invalid ones. Also remember that they don't have to cover the whole ID space to compromise some data. (e.g. if you had 32-bit IDs and your obfuscation function mapped them so that they were randomly distributed over the 32-bit space, and you had 100,000 records (of the same type/class/table) accessible by an ID, then an attacker would find a match after trying 42950 values on average). Another fundamental problem with lack of authorization is that someone who had access to a record at one time, might not be entitled to access it at another time, but they could still know the ID.

In MYSQL , you can store uuid columns as BINARY. MySQL 8 has UUID_TO_BIN() function and vice versa

I suggest using ULID. They're randomly generated like GUID, but sortable chronologically. This gives the best of both worlds.

Could not have come at a better time. I was never a big fan of converting to base64 strings, trimming the non-alpha characters etc. Thanks for the video - the solution is perfect. For anyone using long integers as their keys, you can convert those to a hex string first and then use the EncodeHex and DecodeHex calls from the nuget package.

Well done with the 100k subscribers, well deserved. Your videos are excellent. On this topic, you could create a custom binder to decode for you before you hit the action method?

Hello Nick. thanks for the insights on the hashids. I would love to see how to see the how optimise GUID searches video

What a great idea. We've been using GUID and had to add an additional incremental column to get around indexing and paging limitations. Too late to rewrite everything now, but for new projects this is definitely a much better way to go about it.

I'd definitely give this a try on my up comming projects. Thanks for sharing!

Looking forward for the video on guid optimization. Thank you for the video!

I am interested in performance comparison between hashId and GUID

Your content is gold! Thanks and congrats on 100k!

I think it bears mentioning that using a system like this is great for a greenfield project where you have never exposed an int ID. However if you have it would be trivial to back into the salt value from a previously known ID converted to a hashid.

Yes we want that video sir

Best feeling when u see that nick uploaded a new video😁 Good and interesting topic btw

I worked on a project years ago that used nHibernate as the ORM and we had it configured in such a way as to use a specific guid algorithm (I think it was called comb) that generated indexable guids, so it is possible to get database friendly guids. That was actually my first job and we used guids everywhere, felt weird on my next job using ints as PKs

Very weird to see this in your latest videos when I just implemented this exact solution last week lol. After a very successful prototype it had me wondering where else I can use this in older projects instead of a GUID. Solid video man

Hi Nick, Thank you for sharing this very interesting topic. Lot’s of greetings, Dennis 🇳🇱

Very interesting. EF Core uses a sequential guid value generator by default (when using MSSQL) to avoid this problem.

Please make a video how to optimise GUIDs as Ids

Hello Nick! :) Thank you for clarification!

I know that this video is a bit older, but I just wanted to pass on a big thank you for it! I've always hated exposing key's as int's as you are right, makes it easy to hack the system. Also love you took a moment to look at the cpu cost to use the encoding plugin. Very complete. One question I did walk away with is what is the 'cost' of using guid's as primary keys as to just using int's from your experience? Thanks Again!!

Yes! I was just thinking about how I might optimize the use of GUIDS as IDs in a NoSql DB.

μπράβο ρε τέλεια τα βίντεο, ο μόνος C# KZbinr που παρακολουθώ!

Been using that library for ages. I highly recommend it

Congrats on 100k subs! I am interested in your thoughts about Twitter Snowflake ID and compare them GUID and maybe hashid. Which one would you choose to build a distributed system. Great video as always.

Not sure if you read this here, but one Question. What do you think is the option to use hashing like this afterwards without the need to change everything. I'm currently thinking about an action filter or something. Like this (Pseudo Code) ``` public class CovertHashAttribute : ActionFilterAttribute { public string[] ParameterNames { get; set; } = Array.Empty(); public CovertHashAttribute(params string[] parameterNames) { ParameterNames = parameterNames; } public override void OnActionExecuting(ActionExecutingContext filterContext) { var actionParam = filterContext.ActionArguments; foreach (var name in ParameterNames) { if (actionParam.ContainsKey(name)) { actionParam[name] = Decode(actionParam[name]); } } } } ``` And than afterwards a using like this ``` [HttpGet("{id}")] [Produces(typeof(ProductDto))] [CovertHash("id")] public async Task GetById(int id, CancellationToken cancellationToken = default) { var product = await Mediator.Send(new GetProductByIdQuery(id), cancellationToken); return Ok(product); } ```

Great video Nick! I will definitely check this library out! But during the whole video I kept thinking about collisions (with GUIDs you don’t have to worry) especially if you have a disproportionally big amount of data and have configured the library to a short “hash” length. Really nice video though, I’m learning a lot from you and I am inspired by your passion for deep, well explained knowledge.

Very nice. Didn’t know about this library. Thanks for sharing Nick!

I love this video, and thanks for highlighting this project. But, since UUIDs are a native datatype for most databases, they are stored in 128 bits internally. So, an alternative to UUIDs for data in flight might be to convert them to base64. You get the advantages of this project plus all the benefits of UUiDs

Congratulations on 100k!

Another interesting solution that I saw in Cassandra database is to use timeuuid (guid/uuid which contains time and can be sorted)

An alternative is to have an auto incrementing primary column and a separate GUID column (which is also indexed) that is assigned when the record is created. The GUID is used externally and the uint used internally. No GUID conversion necessary.. no cache or GUID lookup required

That's super cool! I am a JavaScript developer and I honestly like this approach more than GUID/UUIDs. There is a package called *nanoid* which also does the same thing and it would be amazing if you could do a comparison of all three (GUID vs NanoID vs HashID) to generate random ids and check the collision rate of them. Because I heard somewhere that NanoID's arent's really universally unique as GUID or UUID

One thing not covered but peeking my curiosity is if DR = 2 and Ir = 3. If the array of Ids is just a concatenation of individual values I think there is a major reduction in the value of this Lib as it would become much easier to guess values which was kind of the entire point.

The primary use of GUIDs is so you don't have to synchronize them. You could have two different places generating them, in completely separate processes,and later you could combine some or all of them without having collisions. Whatever your tip is for it's less than 0.1% of the use cases of guids covered. Yes guids are also pretty good db secrets, but they're not the best for that either. An actual public key and private key is much better, though even more high cost.

This came at the right time for me. Thanks Nick.

Great stuff, thanks Nick!

A really good library. Thanks for sharing.

Have been wondering about that security flaw for some time. This really eases resolving it in existing applications.

Hey Nick, cool package for sure I can see it’s use case. What are your thoughts on the hashid using primitive types and not a value type that encapsulates it’s logic? Also, I would love to hear more on how you optimize the use of GUIDs in your applications as well.

I might be wrong about this... I thought the most common reason for introducing GUID/UUID was database replication with multiple write replicas. So this seems only be useful in an environment with a single main database for writing and maybe read replicas. That's a tough decision to make upfront development, since it might be the wrong direction after all and changing all indexes afterwards might be very tedious.

I liked this and was about to use it, but then checked around for alternatives. Found Knuth's hash from ye olden dayes. If you want a quick comparison it generates ints that can be reversed back to the ID instead of strings and is apparently less crackable (though I doubt that matters too much for the use-case). Performance however, Knuth completed my benchmark in 950 ns while HashID took 1,466,137 ns.

Twitter uses Snowflake ID which is also interesting because it’s unique to your cluster of N machines and is also sortable.

This opened my eyes. On all of our API's we are still using raw ID's. Thank you!

Thanks for sharing-- interesting package, certainly worth giving it a shot

I found the easter egg, I knew I would have been rickrolled :) Great Video!

I'd be interested in a GUID deep dive for databases. My team is using UUIDs for everything because we can generate them in a distributed fashion without any need for synchronization and still have zero collisions. Sequential IDs in an RDBMS are problematic because you need hi-lo algorithms or other tricks to be able to generate many objects in a single transaction while avoiding clashes. I personally see the advantage of sequential IDs but UUIDs served me much much better.

Great video as always...I don't understand why you don't have 2M subscribers already...honestly. There must be something you can do to increase your visibility... The sequential hashes are great and all in particular scenarios but fails miserably when doing inserts. I started using Guids as PKs before Jesus wore diapers, for that particular reason. And when moving to distributed environments it makes them even more attractive.

To which dbms does this apply? In Postgres serial ids might be faster when writing, but for index lookups a random number offers better performance. Is that different for other dbms?

What is the max number u can save with this 11 length string? Seems like not much

As you pointed out, this is not in fact cryptographically secure hash - the ID isn't encrypted, it's just obscured. Personally, I actually prefer separating these values, so a URL pattern like user-{id}-{hash} is more "honest" and easier to debug. And in that case, not much point to this library - just base64 encode your hash, perhaps replacing URL characters like "/", and then validate it in the controller. I've done that dozens of times in different languages, it's just a few lines of code. 🙂

Pretty cool. Just maybe I'm spoiled, but I'm thinking it would be nice if we didn't have think about any of this, and could just use this kinda package implicitly... Meaning something like - have a model where it's just User.Id on the incoming model, with an attribute to indicate [HashId] and then have a middleware or modelbinder that automatically decodes incoming hashes back into ints... and outgoing ints into hashes

Are these known by a more formal name other than HashId?

Hi, thanks for the video, great idea. However, what would you do if your salt is exposed? In case you just change it then an API will stop working.

Yes please to the GUID optimization video.

Backpack (school app) had a similar issue. Kids pictures were stored by student id and it was accessible publicly.

There is a performance tradeoff. Random hash id will lead to fast index fragmentation in DB. So, maybe, sequential guid (UUID v1) is a good alternative.

What breaks if for some reason the salt needs to change at some point?

Very creative console messages!

This looks like a good package, but don't forget to do auth on all endpoints. Remember, security through obscurity is not security at all 🙂

I like when u said : "A url friendly random looking hash type thing" 😂😂

Thank you Nick, great video as always...

Been using it for years. Great it’s available for almost all popular languages. Also one note to mention, it’s not as efficient in inserting as guid

Are you assuming that a UUID is a string? A proper database UUID is just a really big number (128-bit) under the hood. All the indexing should behave the same as any other numerical field and, based on everything I've dealt with, there's no real performance differences. If the performance depends on being sequential then there are sequential UUIDs (aka ULIDs) in most databases as well.

I would love to see a video about guid optimization

It is url encryption and we have done it already :))

Is this better than using IDataProtector?

are the hashes stored somewhere? How does the FE know what hash to send?

I have a question guys, with this tool for hashing the ids, ¿ is there a need to store the guid ?

Hey, are you planning on bundling every course together or not? And can we pay in euros or only in pounds? Thanks for great content and congrads on 100k, well deserved.

Nice library, has anyone test the processor consumption on it? I'm kinda paranoid as I have used bcrypt in nodejs couple years ago and turned out it crippled my server when over 1000 concurrent user access my endpoint.