Peter Bromberg said:
Why do you think that a GUID is predictable? GUIDs are designed to be so
unique that the chance there will ever be an identical one to that which
was just generated, in your and my lifetimes, is virtually impossible.
The propertry of a GUID being globally unique does not necessarily mean that
it has to be particularly random or unpredictable.
Various GUID specs use the current time, system tick counts and node
identifiers (such as a MAC address) as a basis for creating a GUID. Hence
having sight of a reasonable set of such GUIDs created by a single server
gives an attacker a very reasonable chance at predicting other GUIDs it may
have generated.
Unless you are aware of that the specific algorithm used to generate GUIDs
has a sufficiently random nature, it may not be the best choice if you are
generating key values that need to be unpredictable for security reasons.
The .NET Guid.NewGuid() method does appear to be generating a random Guids
but the docs do not make any statement regarding its randomness. Hence to
rely on it being random and unpredicatable would, strictly speaking, be a
mistake.
