| From: | "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net> |
|---|---|
| To: | "Campbell, Lance" <lance(at)uiuc(dot)edu> |
| Cc: | "Vivek Khera" <vivek(at)khera(dot)org>, <pgsql-sql(at)postgresql(dot)org> |
| Subject: | Re: Create on insert a unique random number |
| Date: | 2008-03-18 19:24:14 |
| Message-ID: | 20080318152414.bb43eb00.darcy@druid.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Tue, 18 Mar 2008 13:40:42 -0500
"Campbell, Lance" <lance(at)uiuc(dot)edu> wrote:
> Why use a random number as a primary key? Security via obscurity.
Something with very short shelf life but...
> I build web applications for a living. In most of my applications it is
> preferable to use a random primary key. Why?
I understand why you might need a random field. My question is, why
does it have to be the primary key? I'm also not sure why it has to be
unique. You can always base the URL on both the primary key and the
security field. Now you don't need to worry about collisions. In
addition the serial number can be a public reference to the record.
Off-topic but related, funny story, I was once in charge of a medium
sized ISP and some suit came to me and suggested that for extra
security we should not let users pick passwords that already existed in
the system. My response was "So the error message should be that
someone in the system already has the password that you tried to use?"
--
D'Arcy J.M. Cain <darcy(at)druid(dot)net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | D'Arcy J.M. Cain | 2008-03-18 19:36:13 | Re: Create on insert a unique random number |
| Previous Message | Steve Midgley | 2008-03-18 19:23:35 | Re: Create on insert a unique random number |