Closed CarlinJacob closed 2 years ago
@CarlinJacob, @ai,
How can nanoid
be considered more secure when it doesn't track enforce uniqueness?
This module, shortid, appears to use the time component to insure unique IDs, which while nanoid
makes no attempt to make unique IDs that I see. If the same ID is given to two different people, one person might end up accessing the other person's private stuff, which is LESS secure.
If you are going to recommend that people use nanoid
instead, at least be clear that they would be switching to a module that makes no attempt to provide unique strings, only random strings.
I think a module like shortid
is a good idea-- one that generates short random strings that are both crypto-random AND unique.
How can nanoid be considered more secure when it doesn't track enforce uniqueness?
shortid
doesn’t track uniqueness as well. If you restart your Node.js application, you will lose all data. It has even more edge cases.
Tracking uniqueness is so extremely complicated, that it will not work in most of the cases.
This is why it will be much safer just use hardware randomness and long enough ID (for your task).
@ai Thanks for the feedback.
I worked on a module like Nano ID in 2015, secure-random-string
.
I like to accept this PR, but seems like there is a problem with branch (GitHub shows
This branch cannot be rebased safely
).Can remove your fork, fork it again, create a branch and then send PR? I think it could fix the problem.