In all seriousness, is there any problem with using (cryptographically securely generated) UUIDs as passwords? They have plenty of entropy, right? - ThreadSky

qntm.org • 18 days ago

In all seriousness, is there any problem with using (cryptographically securely generated) UUIDs as passwords? They have plenty of entropy, right?

Reposted from qntm

I just use the same UUID everywhere. I know it's not very secure practice but what are the chances

Comments

filippo.abyssdomain.expert•18 days ago

They are perfectly fine random passwords.

Although note that for online logins (i.e. not disk encryption) entropy doesn’t matter much.

Risks are 1) reuse 2) phishing 3) malware 4) trivial guesses (12345, password) and very distant 5) hash cracking.

High entropy is only needed for (5).

doradiology.com•18 days ago

So a random UUID (*) protects against 1), 4), and most importantly 5)

* Easy to create, just as any properly randomized string, regardless whether it is universally unique in time

asriel.balloon.gay•18 days ago

I'm pretty sure this is a preset in the KeePassXC password generator.

retr0.id•18 days ago

I think the main issues are on the UX end - if a human ever has to transcribe it it's a fairly painful process

qntm.org•18 days ago

Good strong passwords are generally much more difficult to transcribe than a typical UUID due to mixed case letters and possible strange symbols

retr0.id•18 days ago

encodings/representations aside, a UUID has more entropy than you actually need for a password. there's no well-defined threshold but 80 bits of entropy is probably "more than enough" when combined with key stretching

qntm.org•18 days ago

But generally this (manual transcription) shouldn't be something humans need to do, and it isn't something that strong password choice takes into account

retr0.id•18 days ago

In an ideal world humans would never have to interface with passwords, but the world is not ideal :P

qntm.org•18 days ago

Passkeys may be getting us there

daveandersen.bsky.social•18 days ago

Fine as long as the site isn't stupid. In this case, stupid means truncating the password - UUIDs have comparatively lower entropy per character than some other random password schemes.

You'd hope that in 2025.... 🤓

remyporter.bsky.social•18 days ago

I got locked out of a bank account once a few years back because they silently truncated the password when I set it but didn’t truncate when I logged in and I hate it.

cscheid.net•18 days ago

They’re not going to pass some of the (wrong, but existing) password quality guidelines but yeah, they should be totally fine.

qntm.org•18 days ago

The only concern is the source of those UUIDs. Don't get them from https://www.uuidgenerator.net/, you don't know where they've been

goodki-d.bsky.social•18 days ago

? passwords dont need to have crazy entropy?? or am I missing something

qntm.org•18 days ago

They need to be difficult to guess, so they need to be chosen from a very large possible range

goodki-d.bsky.social•18 days ago

yes.. pass phrases are by far most secure and we haven't found anything better imo

qntm.org•18 days ago

Passphrases and passwords can both be arbitrarily secure or insecure, it's a matter of length (i.e. entropy)

fractalnebulae.bsky.social•16 days ago

python
import uuid
uuid.uuid4()
... trim dashes, shorten if needed

^^ muscle memory

that said, if I have quick access to 1password I'll use their pw generator instead

icyphox.sh•18 days ago

haha im going to find ur password on https://everyuuid.com

forohfor.bsky.social•18 days ago

kind of depends on the uuid scheme (you probably don't want to use the ones with timestamp/mac address info) but it should be totally fine as long as the random part has a large possibility space.

Comments

Posting Rules

Reply