{ Soham Kamani }

AboutBlog GithubTwitter

UUID1 vs UUID4 🔑

In many of the applications we build today, there is often a need to have a unique identifier for any piece of data we use in our application. The universally unique identifier, or UUID, was designed to provide a consistent format for any ID we use for our data. Another problem UUIDs were here to solve, was to not give a potential adversary any information about the data it represented.

As it turns out, making something unique and untraceable is not as straightforward as it seems. I mean, how do you ensure that there is just one copy of the identifier you made, and no more? And even then, how do you make sure that there is no correlation between any two identifiers?

The answer is, you can’t do both. This is a tradeoff between uniqueness and randomness that is represented by v1 and v4 of UUID generators.

So what are they really?

UUIDs are just 128 bit pieces of data, that is displayed as (128/4) = 32 hexadecimal digits, like this :

UUID v1 :

UUID v4 :

At first glance v1 and v4 look the same, but try regenerating them and the difference will be more apparent.

V1 : Uniqueness

UUID v1 is generated by using a combination the host computers MAC address and the current date and time. In addition to this, it also introduces another random component just to be sure of its uniqueness.

This means you are guaranteed to get a completely unique ID, unless you generate it from the same computer, and at the exact same time. In that case, the chance of collision changes from impossible to very very small because of the random bits.

This guaranteed uniqueness comes at the cost of anonymity. Because UUID v1 takes the time and your MAC address into consideration, this also means that someone could potentially identify the time and place(i.e. computer) of creation. Try regenerating the UUIDs above, and you will see that some part of the UUID v1 is constant.

V4 : Randomness

The generation of a v4 UUID is much simpler to comprehend. Each and every bit of a UUID v4 is generated randomly and with no inherent logic. It’s that simple. There is, therefore, no question of anonymity.

However, there is now a chance that a UUID could be duplicated. The question is, do you need to worry about it?

The short answer is no. With the sheer number of possible combinations (2^128), it would be almost impossible to generate a duplicate unless you are generating trillions of IDs every second, for many years. This is a laughable standard for any application in todays world, and not substantial enough to take into consideration.

So which one do we go with?

If you don’t know what to go with, go with v4. It’s good enough, and the chances of collision are practically none.

If you actually want your UUID to give some indication of the date and computer in which it was created, then UUID v1 may be for you.

Like what I write? Join my mailing list, and I'll let you know whenever I write another post


Soham Kamani

Written by Soham Kamani, an author,and a full-stack developer who has extensive experience in the JavaScript ecosystem, and building large scale applications in Go. He is an open source enthusiast and an avid blogger. You should follow him on Twitter