> Why is knowing someone's ID an issue?

It increases the attack surface as an authorization vulnerability will allow an attacker to enumerate and access all records. Yes, it is security through obscurity, but a random (e.g. UUID) scheme makes it harder.

~128 bits worth of obscurity is considered real security for the time being. Assuming a cryptographically secure PRNG.

Thats like guessing a password 18 ASCII chars long.

> ~128 bits worth of obscurity is considered real security for the time being.

Sure, what I meant was UUIDs are not supposed to be confidential information, unlike passwords. They are exposed in URLs and whatnot.

Exactly, it's not that my systems use security through obscurity, it's the other ones mine ties into.

This was years ago and you don't see it as much anymore, but think autogenerated links to shitty CRM, ticketing, and project management software where the link is the query aka - Blahsoftware.local/info/bunchofgarbage?=userid+garbage+view+sensitiveinfo.html type stuff.