Why use non-sequential IDs?

Question

Some people recommend using non-sequential IDs for users (and other purposes) in web applications. What are the benefits of this approach, and when should it be used?

Answer 1

The benefits are that non sequential ids can be hard to guess. If they are exposed anywhere, sequential ids can be used to determine information about your site.

For example, if there is a user info page for each registered user that is accessed by user ID, then an attacker could use that to count your users, and count your sign up rate. This may be commercially sensitive data.

Using a sparse ID like a uuid would prevent this attack, and also make it harder for someone to scrape the user list.

The down side is that you need to cope with potential collisions in such a space, and it makes it slightly harder for you to count your users.

When it should be used depends on what you want to do, if you want people to be able to iterate your users, or sort by ID then use sequential ids. If you want to prevent this, then use non sequential ones, or don't ever use te ids in an externally visible manner.

Answer 2

Non-sequential IDs are useful if you don't want to share the number of users or the growth rate in your application. This can be particularly useful when starting a new service, and you don't want your users to know that there are still very few users.

As someone else has said:

Every website has a third user, but that third user doesn't have to know he is the third user.

It's important to note that you should not use this as an approach to security (i.e. security through obscurity).