How easily can you guess a GUID that might be generated?

Question

GUIDs get used a lot in creating session keys for web applications. I\'ve always wondered about the safety of this practice. Since the GUID is generated based on informati

Answer 1

GUIDs are guaranteed to be unique and that's about it. Not guaranteed to be be random or difficult to guess.

TO answer you question, at least for the V1 GUID generation algorithm if you know the algorithm, MAC address and the time of the creation you could probably generate a set of GUIDs one of which would be one that was actually generated. And the MAC address if it's a V1 GUID can be determined from sample GUIDs from the same machine.

Additional tidbit from wikipedia:

The OSF-specified algorithm for generating new GUIDs has been widely criticized. In these (V1) GUIDs, the user's network card MAC address is used as a base for the last group of GUID digits, which means, for example, that a document can be tracked back to the computer that created it. This privacy hole was used when locating the creator of the Melissa worm. Most of the other digits are based on the time while generating the GUID.