I have this code:
String uuid = UUID.randomUUID().toString().replace("-", "");
How safe is it to remove the "-" in the generated UUID? Would removing it defeat the purpose of it being globally unique and make the generated UUID prone to collisions?
Well, the source code shows UUID. randomUUID uses SecureRandom . As you can see, you can use either, but in a secure UUID you have 6 non-random bits, which can be considered a disadvantage if you are picky.
You should certainly detect if a collision occurs, and your application should throw an exception if it does happen. E.g. if the UUID is used as primary key in the database, then the database should throw an error when inserting a colliding ID.
Sandwich Attack: A New Way Of Brute Forcing UUIDs Once an attacker knows the web application uses UUID v1 for generating the password reset link, they could take the approach listed below to guess the right token for an arbitrary account: 1.
Each character can be a digit 0 through 9, or letter a through f. 32 hexadecimals x log2(16) bits/hexadecimal = 128 bits in a UUID. In the version 4, variant 1 type of UUID, 6 bits are fixed and the remaining 122 bits are randomly generated, for a total of 2¹²² possible UUIDs.
how safe if is to remove the "-" in the generated UUID
It's 100% safe since the dashes aren't part of the value. The String UUID is a hex representation of a 128 bit value. The dashes are there just for display purposes so UUIDs will be a bit easier on the eyes.
Just be careful when passing UUIDs in String
form to external systems such as external APIs, databases, and things of that nature. They might be expecting the dashes to be there.
Let’s say I want to call the White House. Their phone number is (202) 456-1111. If I delete all the dashes and parentheses from that phone number, I’m left with 2024561111. I didn’t lose any information in the course of doing this - I just changed the formatting in a way that makes it harder to read. If I punch this number into my phone, it’ll still make the call properly because the phone system still knows that the first three digits are the area code and the next seven are the main number.
In the same way, the dashes in a UUID are like the extra punctuation in a phone number - they’re included so that it’s easier for a human to read some underlying large number. In UUIDs, that number is 128 bits long and is written in hexadecimal, so unlike a phone number it’s less “obviously” a number, but the basic principle is the same. Deleting the dashes won’t change the number and thus won’t impact security.
Now, what might happen is that doing so breaks formatting compatibility across platforms. Let’s go back to the phone number analogy. Some websites I’ve used won’t let me type in 2024561111 as a phone number. They’ll insist that I put in spaces, dashes, and parentheses, as in (202) 456-1111. (I’m not a fan of sites like that, but that’s another story.) So removing the dashes from your UUID could potentially be an issue if you need to pass a string representation of the UUID into some other process or service that’s expecting the full formatting, including the commas.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With