> A plaintext link or URL is no more or less secure than a plaintext
> password. The equivalent using the random password technique would
> simply involve making the new random password only good for 24
> hours.
>
> Assuming the UUID is truly random (historically some versions of CF
> have generated predictable UUIDs) both methods are equally effective
> from a security standpoint.
UUIDs are never random. (If they were random, there would be no way to
ensure they were unique until 3400 AD.) They are in fact fairly
predictable, following a well known algorithm that allows for fairly
easy extrapolation if you have another UUID from the same system and
know when both UUIDs where generated. It has a resolution of only 10
milion per second (which is very little in cryptographic terms).
See ISO 11578 or the draft "UUIDs and GUIDs" RFC for details.
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
