Skip to Content
📖 GuidesSecurity Considerations

Last Updated: 3/12/2026

Security Considerations

Nanoid is designed with security as a core principle. Understanding how it achieves secure random ID generation helps you use it appropriately.

Hardware Random Generation

Nanoid uses cryptographically secure random generators:

  • Node.js: crypto.getRandomValues() from the crypto module
  • Browsers: Web Crypto API

These sources use unpredictable hardware random generators, not pseudo-random algorithms like Math.random().

Unpredictability

Unlike Math.random(), which is predictable and unsuitable for security-sensitive applications, Nanoid’s hardware-based random generation ensures IDs cannot be predicted or reproduced by attackers.

Never use Math.random() for ID generation in production. Nanoid’s secure version should be your default choice.

Uniform Distribution

A common mistake in ID generators is using random % alphabet, which creates uneven distribution—some characters appear more frequently than others, reducing effective entropy and making brute-force attacks easier.

Nanoid uses a bitmask algorithm that ensures uniform distribution across all alphabet characters. This has been tested and verified.

Algorithm Transparency

All of Nanoid’s security decisions are documented in the source code. The implementation is small (118 bytes) and auditable. See the source code  for detailed comments explaining the algorithm.

When to Use Non-Secure

The nanoid/non-secure version uses Math.random() instead of hardware random generation. Use it only when:

  • You’re in an environment without hardware random generators
  • Security is not a concern (e.g., temporary UI keys)
  • Performance is critical and IDs don’t need cryptographic strength

Never use non-secure for:

  • Authentication tokens
  • Session IDs
  • Database primary keys in security-sensitive systems
  • Any scenario where ID predictability creates a vulnerability

Collision Probability

With the default 21-character ID:

  • 126 bits of randomness (UUID v4 has 122)
  • One-in-a-billion chance of collision after generating 103 trillion IDs

For custom sizes, always verify safety with the ID collision calculator .

Reporting Vulnerabilities

To report security vulnerabilities, use the Tidelift security contact . Tidelift coordinates fixes and responsible disclosure.

What’s Next

Custom Alphabet SizeCli Reference