0

My case is this, I need to offer people a one time code that they can use to login. These people are not tech literate. They need to be offered a human readable code.

The format is something along the lines of this;

ACBE-adK3-SdLK-K23J

a set of 4 times 4 human readable characters. For a total of 16 characters, that seems reasonable secure as an UUID. But can easily be extended if needed.

Now, is using say NanoID 4 times for to generate a 4 character long string equivalent to using it one times for a 16 character string and then chopping it up? I think it is. Programmatically it's trivial to implement either. But, I really wonder about the actual factual answer. If some math specialist would indulge me?

Edit: To answer the questions;

  • It's to allow people access to photo's only they should have access to, think photo's for passports, school photo's and the like. People use the code once to link the photo's to their e-mail and from their on login using e-mail/password combo's. Having people signup using e-mail beforehand is in this case not an option.
  • I am aware using hex digits is the usual case. I need easy human readable. So cutting up a 16 digit hex block into 4 distinct part seemed the logical step.
  • The chosen alphabet would be a-z A-Z 0-9 and excluding a few symbols, such as 0/o/O and I/1/l to limit mistakes. This would allow expressing the same ID in less characters.
  • I am aware now, that NanoID is not an UUID implementation. Thans. But for my goal it would be sufficient I think. If not, I'd like to know that as well.
  • I am using Python 3
Peter O.
  • 32,158
  • 14
  • 82
  • 96
Eloque
  • 311
  • 2
  • 10
  • UUIDs are not cryptographically secure. What platform/language are you using? Most language's standard libraries or platform APIs have a crypto RNG built-in. – Dai Mar 17 '21 at 23:06
  • 1
    NanoID is not an implementation of UUID, btw. – Dai Mar 17 '21 at 23:06
  • NanoID has a length parameter - so you don't need to call it 4 times - just call `nanoid(16)`. – Dai Mar 17 '21 at 23:07
  • How secure do you really need it? Is it a banking website? Health data? Gaming? Programming Q&A? A 4 digit alphanumeric code will provide 1,679,616 combinations. Make it upper/lowercase alphanumeric and you've got 7,311,616 combinations. – Lil Devil Mar 17 '21 at 23:17
  • UUIDs are typically expressed as hex digits; you're showing something with a much larger range (thus, more information density), but it's not UUID-like. – Charles Duffy Mar 17 '21 at 23:22
  • A [universally unique identifier (UUID)](https://en.wikipedia.org/wiki/Universally_unique_identifier) is a 128-bit value, not text. The various bit positions have certain meanings. A UUID is canonically expressed in text as a [hexadecimal](https://en.wikipedia.org/wiki/Hexadecimal) string delimited by hyphens into five groups. A UUID is distinctly different from a Nano ID. – Basil Bourque Mar 18 '21 at 03:13

1 Answers1

0

A string format such as the one you give in your question is ultimately a one-to-one mapping from integers to human-readable strings. If the integer is generated so as to be unique, so will the human-readable string be.

In your case, you can generate a uniform random integer in the interval [0, AS), where A is the alphabet size (such as 36 for upper-case letters and digits), and S is the number of characters in the ID (which is 16 in your example, excluding hyphens). Then map that integer one-to-one with human-readable strings in the desired format.

In your case, the ID will serve as a secret "confirmation code", in which case it should be generated using a secure random generator, such as secrets.SystemRandom or random.SystemRandom or secrets.randbelow in Python (but note that randomly generated values are not unique by themselves).

Peter O.
  • 32,158
  • 14
  • 82
  • 96