How securely unguessable are GUIDs?

Question

A while ago I worked on a web application where users could buy tickets. Due to the way our client\'s processes worked, what you effectively got as a result of your purchase

Answer 1

Functionally speaking

People say that GUID / UUID is not safe. Is it true?

C#'s GUID is a 128-bit integer and it means a lot of combinations: 170,141,183,460,469,231,731,687,303,715,884,105,727

But let's say our attacker uses force brute and each attempt takes 0.1 seconds, you know that we are talking a lot of time, so nobody will even dare to do that.

But let's say GUID is not "safe", so the entropy is reduced to, let's say to 32-bits ( 2,147,483,647) it means a force brute attack could last

2,147,483,647 x 0.1 second / 60 / 60 /24 = 2400 days. So, even a 32-bit GUID is safe (but it could generates collisions).

We could argue that a GPU or a super-computer could generate that number of combinations in a snap of seconds. Yes, but generating a list of values means nothing if they can't be tested.

Also, a force brute attack is easily identifiable, it's what we call a DDOS and there are several ways to mitigate it.

Mathematically, GUID is safe but the mathematical world and the real world are too different.