Sqids *should not be used for security*. The proper way to do this in a secure manner would be using public key cryptography. Sqids does not do this and since the client knows the shared alphabet, so does a hacker in most applications.
I agree about using a different method if you want something "secure". Sqids seems more like "security through obscurity". Although, I envisioned that URLs would be generated and translated on the web servers as opposed to clients. Therefore, I would think the alphabet would be unknown to the client. I agree this won't stop hackers, but I think it would prevent John or Jane web user from knowing how many accounts or transactions your application has.
10.08: OpenAI access is interesting, thanks. Love your post, covering this.
Thanks!
We have been using the sqids for the same reason. That is a good suggestion. Also because database id is numeric we get better query performance.
Sqids *should not be used for security*. The proper way to do this in a secure manner would be using public key cryptography. Sqids does not do this and since the client knows the shared alphabet, so does a hacker in most applications.
The Sqids project, to their credit, is relatively clear about this, but the article you cited is not.
I agree about using a different method if you want something "secure". Sqids seems more like "security through obscurity". Although, I envisioned that URLs would be generated and translated on the web servers as opposed to clients. Therefore, I would think the alphabet would be unknown to the client. I agree this won't stop hackers, but I think it would prevent John or Jane web user from knowing how many accounts or transactions your application has.