How are MongoDB's ObjectIds generated?

Multi tool use


How are MongoDB's ObjectIds generated?
Are they somewhat random?
I mean....would people be able to break them apart?
4 Answers
4
They are usually generated on the client side by the driver itself. For example, in ruby, BSON::ObjectID can be used:
You can also generate your own ObjectIds. This is particularly useful if you want to use business identifiers.
yes they can be predicted if you have related ObjectIds available for analysis. But I suppose you'll agree it's much more difficult to guess than usual Identity columns in traditional DBs...
– Oct
Apr 28 '11 at 12:42
Yes, incremental ids are easier to guess, but Mongo ObjectId can not be considered safe.
– Maxence
Apr 28 '11 at 13:51
And since they are not random and can be easily broken apart, you can do this for example in the mongo shell: ObjectId().getTimestamp() to know when it was created.
– Peter
Apr 8 '14 at 13:27
wouldnt a uuid provide more uniqueness? With this algorithm it does not seem to be impossible to generate duplicate ids... where does the "machine"-id come from?
– wutzebaer
Jun 23 '14 at 8:22
They are not random and can be easily predicted :
A BSON ObjectID is a 12-byte value
consisting of a 4-byte timestamp
(seconds since epoch), a 3-byte
machine id, a 2-byte process id, and a
3-byte counter
http://www.mongodb.org/display/DOCS/Object+IDs
Heres a javascript implementation of the MongoDB ObjectID (http://jsfiddle.net/icodeforlove/rN3zb/)
function ObjectIdDetails (id) {
return {
seconds: parseInt(id.slice(0, 8), 16),
machineIdentifier: parseInt(id.slice(8, 14), 16),
processId: parseInt(id.slice(14, 18), 16),
counter: parseInt(id.slice(18, 24), 16)
};
}
So if you have enough of them they leak quite a bit of information about your infrastructure. And you also know the object creation dates for everything.
IE: how many servers do you have, and how many processes each server is running.
MongoDB database drivers by default generate an ObjectID identifier that is assigned to the _id field of each document. In many cases the ObjectID may be used as a unique identifier in an application.
ObjectID is a 96-bit number which is composed as follows:
a 4-byte value representing the seconds since the Unix epoch (which will not run out of seconds until the year 2106)
a 3-byte machine identifier (usually derived from the MAC address),
a 2-byte process id, and
a 3-byte counter, starting with a random value.
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
It can be easily predicted. Have you read the source ?
– Maxence
Apr 28 '11 at 12:13