UUID.randomUUID() vs SecureRandom

Question

I am trying to understand the advantages of using UUID.randomUUID() over SecureRandom generator as the former uses securerandom internally.

Answer 1

Well, the source code shows UUID.randomUUID uses SecureRandom.

public static UUID  [More ...] randomUUID() {     SecureRandom ng = numberGenerator;     if (ng == null) {         numberGenerator = ng = new SecureRandom();     }     byte[] randomBytes = new byte[16];     ng.nextBytes(randomBytes);     randomBytes[6]  &= 0x0f;  /* clear version        */     randomBytes[6]  |= 0x40;  /* set to version 4     */     randomBytes[8]  &= 0x3f;  /* clear variant        */     randomBytes[8]  |= 0x80;  /* set to IETF variant  */     return new UUID(randomBytes); } 

As you can see, you can use either, but in a secure UUID you have 6 non-random bits, which can be considered a disadvantage if you are picky.

Answer 2

Random numbers have a random chance of being repeated. The lower the randomness (unless there is some co-ordination), the greater the chance of producing the same number twice.

https://en.wikipedia.org/wiki/Birthday_problem
As you produce more random numbers the chance of the same number being repeated increases as every id must be different to every other id.

SecureRandom allows you to choose how many bit of randomness you want. Make it too small and there is a good chance they will be repeated. You can get duplicate random 32-bit id in a fraction of a second.

UUID sets the standard at 128 bits (or as uoyilmaz points out, 122 bits are random) This is enough for most use cases. However if you want a random String, I would be tempted to use more bits and/or a higher base than 16. Java for example support base 36 and 64 which means you can have shorter ids, or more randomness for the same length ID.

Note: UUID format has multiple - in it's dump though I don't see the value of them, they just make the string longer.