Phobos randomUUID is not suitable to generate secrets

wjoe invalid at
Mon Aug 31 14:02:00 UTC 2020

On Monday, 31 August 2020 at 07:49:24 UTC, Cym13 wrote:
> [...]

Very insightful article, thank you.

I don't think the right approach to solve any problem is to 
silently support misuse.

A better way, IMHO, would be to
1) Add a generateSecret() function to Phobos, and
2) Add a Warning to the docs and the use of the function that 
says something like: "A Universally Unique Identifier (UUID) is 
*not* a secret and shouldn't be used as such. This includes 
session cookies, password reset tokens, etc.. For such purposes 
use generateSecret() instead. This message can be disabled by 
providing version=IUnderstandThatUUIDsAreNotSecrets", and
3) Silently implement randomUUID() to use generateSecret() 
because people aren't listening.

I believe a big part of any solution is to destroy assumptions 
and to make people aware of their misconceptions/mistakes.

More information about the Digitalmars-d mailing list