How are MongoDB's ObjectIds generated?

Question

Are they somewhat random?

I mean....would people be able to break them apart?

Answer 1

They are not random and can be easily predicted :

A BSON ObjectID is a 12-byte value consisting of a 4-byte timestamp (seconds since epoch), a 3-byte machine id, a 2-byte process id, and a 3-byte counter

http://www.mongodb.org/display/DOCS/Object+IDs

Answer 2

Heres a javascript implementation of the MongoDB ObjectID (http://jsfiddle.net/icodeforlove/rN3zb/)

function ObjectIdDetails (id) {     return {         seconds: parseInt(id.slice(0, 8), 16),         machineIdentifier: parseInt(id.slice(8, 14), 16),         processId: parseInt(id.slice(14, 18), 16),         counter: parseInt(id.slice(18, 24), 16)     }; } 

So if you have enough of them they leak quite a bit of information about your infrastructure. And you also know the object creation dates for everything.

IE: how many servers do you have, and how many processes each server is running.

Answer 3

Generation

They are usually generated on the client side by the driver itself. For example, in ruby, BSON::ObjectID can be used:

• https://github.com/mongodb/bson-ruby/blob/master/lib/bson/object_id.rb#L369

You can also generate your own ObjectIds. This is particularly useful if you want to use business identifiers.

Breakability

• When using driver generated ObjectIds, is low
• When using own business Id, is slightly higher depending on their predictability (login, consecutives identifiers...)

Answer 4

MongoDB database drivers by default generate an ObjectID identifier that is assigned to the _id field of each document. In many cases the ObjectID may be used as a unique identifier in an application.

ObjectID is a 96-bit number which is composed as follows:

a 4-byte value representing the seconds since the Unix epoch (which will not run out of seconds until the year 2106)

a 3-byte machine identifier (usually derived from the MAC address),

a 2-byte process id, and

a 3-byte counter, starting with a random value.