Should I always use an Oracle sequence?

AshokBusiness Strategy, Industry Trends, Technical TipsLeave a Comment

Oracle die-hard purists will generally swear up and down about using a sequence for assigning a unique identifier to an record/entity. However, are there situations when you might to consider avoiding this practice?

The below video explains that computer systems have been able to guess social security numbers for 8.5% of people born since 1989. That is alarming for a number of reasons. But it also got me thinking about situations I may have come across in the business world (and IT in general) that could suffer from a similar problem.

Imagine that you assign new customer accounts their unique IDs through incremented integers, like most database systems. Even though it is not always secure, I have seen a number of both internal and external systems (and business processes) that rely on people simply knowing an account number when retrieving information.

Someone could pretty easily use this information for unscrupulous purposes. Imagine an organization that distributed numeric, sequential account numbers for new customers that generally purchase a service with a standard contract term, like a mobile phone carrier that generally sells plans for two years at a time. Imagine their customer service department or self-service portal that identifies people/users by using this number. It would pretty easy for an external user to guess accounts numbers that are coming up for expiration after learning of just a couple (or even one). Likewise, it may be even easier for someone internally to guess account numbers for people coming up for expiration.

I haven’t decided on the level of risk undertaken, and certainly, other measure beyond just knowing an account number are generally implemented, but seeing the video certainly got me thinking about the wisdom of blindly assigning sequential numbers as unique identifiers for important entities in an organization.

Note: I can’t even count the number of web systems I have seen implemented with simple passing of identifiers in browser URLs without further security behind them which would allow an issue like this to snowball, but that is a separate issue for a different topic.

I’m interested in hearing from people that have perhaps had the need to tackle this concern.

Leave a Reply

Your email address will not be published. Required fields are marked *