Get AI summaries of any video or article — Sign up free
I gave away $1,000 to prove UUIDs are secure thumbnail

I gave away $1,000 to prove UUIDs are secure

Theo - t3․gg·
5 min read

Based on Theo - t3․gg's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

UUID v4 is designed for ~2^128 possibilities, making guessing infeasible when UUIDs are generated with cryptographically secure randomness.

Briefing

A public argument about whether UUIDs can be “brute forced” spiraled into a $1,000 cryptography challenge—and the outcome was a blunt demonstration that UUID v4’s randomness is not realistically guessable in practice when implemented correctly. The dispute began with a design question: if access to data is gated by a public URL containing a “super unique” UUID, does that make the data effectively private, or merely public because anyone can copy the URL? One commenter—Charlie—insisted UUIDs could be brute-forced by trying “all variations,” claiming the search space was far smaller than UUID v4’s real size.

UUID v4 is built to be “universally unique,” with an astronomically large space: about 2^128 possibilities (often cited as ~5.3 × 10^36). The odds of collisions in properly random generation are so low they’re compared to extremely unlikely physical events. The core technical point in the thread is that UUIDs only become guessable if randomness is badly implemented—such as using non-cryptographic randomness or reusing predictable state. The challenge’s back-and-forth hinged on Charlie’s numbers and assumptions. He floated a smaller exponent (2^32) and suggested a brute-force could succeed within hours under optimistic request rates. Theo pushed back that the math didn’t match UUID v4 at all, and that the “attack” Charlie referenced relied on outdated, narrow, and largely mitigated conditions—like specific historical Java randomness behavior—plus browser fixes years ago.

To settle the claim with something testable, Theo created a local decryption challenge. He generated two UUIDs in Node using crypto-random functions, encrypted a file using AES-256 (with a noted mistake: the chosen method could sometimes decrypt into garbage without the correct key), and offered $1,000 to anyone who could “crack this UUID”—meaning identify the exact UUID that produced the meaningful plaintext, not merely trigger a successful-looking decryption. The file was downloadable, and the intended workflow required no network requests: download, then decrypt locally. Charlie declined, arguing the prize wasn’t worth the server costs and raising questions about “proxy detection,” which Theo said were irrelevant because the attack didn’t require hitting an endpoint.

The thread then escalated into a public, interactive “every UUID” site built by developer Nolan. The site lets users scroll through UUIDs and attempts to decrypt the payload for each candidate, effectively turning the brute-force claim into a visible, hands-on experiment. Even with this tooling, no one found the correct UUID. Decryptions with wrong UUIDs produced nonsense or misleading partial results, and Theo added a hint (the first two letters are “th” and the plaintext is a valid English sentence) to filter out obvious garbage. After the challenge window, Theo revealed the plaintext: “There’s a literal 0% chance you are able to get into this file.”

The final takeaway is less about UUIDs being “secure forever” and more about engineering reality: UUID v4’s security depends on using proper cryptographic randomness and not confusing “possible in theory under broken randomness” with “feasible in real systems.” The chaos ended with Theo framing the whole episode as a cautionary tale about misunderstanding randomness, uniqueness, and what brute forcing actually costs in the real world.

Cornell Notes

The dispute centered on whether UUID v4 values embedded in public URLs can be brute-forced. UUID v4 is designed for ~2^128 possibilities, making guessing infeasible when UUIDs are generated with proper cryptographic randomness. Theo challenged a commenter’s claim by encrypting a file with a UUID-derived key and offering $1,000 for the exact UUID that yields the correct plaintext—not just any decryption that “doesn’t error.” A separate developer built an “every UUID” scrolling site that tried decryptions for many candidates, but wrong UUIDs produced nonsense and no one found the correct value. The revealed plaintext was “There’s a literal 0% chance you are able to get into this file,” underscoring that the practical attack path doesn’t match the confident but incorrect math from the thread.

Why does UUID v4 resist brute forcing in practice?

UUID v4 is intended to be “universally unique,” with an enormous space of about 2^128 (~5.3 × 10^36) possible values. When generated with cryptographically secure randomness, the chance of hitting the correct UUID by guessing is effectively zero for any realistic number of attempts. The thread also emphasizes that UUIDs only become predictable if randomness is implemented badly (e.g., non-cryptographic RNG or reused/persisted state).

What was wrong with the brute-force math claim in the thread?

Charlie argued UUIDs could be brute-forced by treating the search space as something like 2^32 and estimating success in roughly 12 hours under high request rates. Theo countered that this doesn’t align with UUID v4’s actual 2^128 space. Theo also questioned where the 2^32 figure came from and noted that the referenced “attack” scenario depended on outdated and narrow conditions that were mitigated long ago (including browser changes).

How did Theo structure the $1,000 challenge to test the claim fairly?

Theo encrypted a file using AES-256 and then offered the prize for identifying the exact UUID that produced the correct plaintext. He explicitly noted a small mistake: the chosen encryption setup could sometimes decrypt into nonsense without the correct key, so “decrypting successfully” wasn’t enough—finding the right UUID was. The challenge was designed to run locally: download the encrypted file and decrypt it on the attacker’s machine, avoiding network-rate-limit issues.

What role did Nolan’s “every UUID” site play?

Nolan built an interactive site that attempts to decrypt the payload while users scroll through UUID candidates. A special path (e.g., adding a suffix like /h theo) shows a box that stays on screen and runs decryption attempts in the browser. This turned the brute-force idea into a visible experiment, but wrong UUIDs still produced garbage, and the correct UUID was not found during the challenge window.

Why did Theo add hints like “the first two letters are th”?

Because decryptions with incorrect UUIDs could still yield outputs that look like plausible text fragments. By hinting that the plaintext begins with “th” and is a valid English sentence, Theo enabled filtering logic on the scrolling site to reduce noise from obvious garbage decodes (for example, outputs like “carrot r” that were not the intended message).

Review Questions

  1. What practical conditions would have to fail for UUID v4 to become guessable, and how does the thread distinguish “theoretical possibility” from “real-world feasibility”?
  2. Why is “successful decryption” not the same as “correct UUID” in Theo’s challenge setup?
  3. How does the size of the UUID v4 search space (2^128) change the expected time-to-guess compared with much smaller exponents like 2^32?

Key Points

  1. 1

    UUID v4 is designed for ~2^128 possibilities, making guessing infeasible when UUIDs are generated with cryptographically secure randomness.

  2. 2

    Claims that UUIDs can be brute-forced often rely on incorrect search-space math or on outdated scenarios involving broken randomness implementations.

  3. 3

    Theo’s $1,000 challenge required finding the exact UUID that yields the correct plaintext, not merely producing any decryptable output.

  4. 4

    The challenge was intentionally local (download then decrypt), so “proxy detection” arguments were largely irrelevant to the attack workflow.

  5. 5

    An interactive “every UUID” scrolling site demonstrated that even with tooling and hints, wrong UUIDs produce nonsense rather than the target message.

  6. 6

    The episode highlights a common security misunderstanding: confusing “possible under bad randomness” with “practically attackable in properly implemented systems.”

Highlights

The thread’s central technical correction: UUID v4’s space is about 2^128, not a small exponent that would make brute forcing plausible.
Theo’s challenge design tested the exact UUID needed for meaningful plaintext, not just whether decryption ran without errors.
Nolan’s scrolling “every UUID” site made the brute-force claim testable in public—and still produced no correct UUID.
The final plaintext revealed the intended result: “There’s a literal 0% chance you are able to get into this file.”

Topics

  • UUID v4 Security
  • Brute Force Math
  • Cryptographic Randomness
  • Local Decryption Challenge
  • Interactive UUID Explorer

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library