Is the Id still guessable even I have provided my own alphabet?

[Rookian]

Is the Id still guessable even if I have provided my own alphabet? Is there a way to make the generated Id secure (e.g. using a salt)?

[aradalvand]

Hi @Rookian. The IDs aren't going to be "guessable" in the sense that there won't be a recognizable pattern between consecutive numbers, but keep in mind that libraries like Sqids and Hashids are generally primarily used for aesthetic purposes, and even though they do also provide a decent level of obfuscation — meaning 99% of ordinary users won't be able to figure out the numbers behind your IDs, and won't be able to increment them — if someone is really determined, they can still technically decode your numbers; because after all, Sqids/Hashids are not encryption algorithms (that would make them slow) and they don't claim to be.

If the sorts of things you're encoding with Sqids/Hashids are so sensitive that you simply can't afford the possibility of them being decoded by someone else, then what you really need is a proper encryption algorithm (e.g. AES, RSA, etc.), and Sqids/Hashids may not be suitable for your use case.