Member-only story
The Evils of Sequential IDs
3 reasons not to use Sequential IDs as Primary Keys
- Sequential IDs have several re-occurring risks that are known
- We will discuss 3 risks associated with Sequential IDs as Primary Keys
- Some valid cases for maintaining Sequential numbers are discussed
2001 was a very interesting time for me.
Don’t have a Medium Account? Use my friend link.
I had just made a major career change, realising Nursing was not really my thing, I had changed fields and graduated with a CompSci degree formalising all the things I had tried to learn myself. The Y2K panic had happened, and the DOTCOM bubble had just burst, flooding the field with people who had a lot more experience than I did and making finding a job all the more challenging. 9/11 brought security into crystal focus for professionals everywhere, information security being part of that. In this context, I found my start with a small consulting company that helped small businesses transition from in-house software solutions to robust managed solutions, and further into online solutions available from anywhere.
During one of these conversions, the owner of my company brought up an article he had recently read, and a debate ensued. According to the article, people should stop using sequential IDs for their record identifiers. This seemed absurd to me, Sequence IDs are easy to create, and they are easier to read; it makes no difference what you use internally. He was being absurd.
Unfortunately, he lost the debate.
- I have long since learned to be more open in my discussions
- He was right
It was many years later, and I was working on a refactoring of a website. I knew there were several vulnerabilities, but time is a precious resource, and I had prioritised them as best I could. That’s when we got the report, a customer had noticed that when you log in, you get logged into Company 5, he assumed that if there is a 5, there must also be a 6… and he gained access to data he had no business seeing.
If I had been more open to my boss’ argument, I might have seen how risky sequential IDs are and prioritised…
