Karuvii LogoKaruvii
Back to Insights
6 min read

UUID Security Best Practices

Are UUIDs Secure?

A common point of confusion among system architects is whether UUIDs can be used as secure, unpredictable tokens. The short answer is: it depends entirely on the UUID version and the source of entropy used to generate it. While UUID v4 is random, other versions are predictable, and choosing the wrong type can introduce severe vulnerabilities into your authorization and user session structures.

Security Considerations

1. Entropy and Randomness Source

A UUID v4 relies on 122 random bits. However, if the generator uses a weak pseudo-random number generator (PRNG) like JavaScript\'s Math.random(), the sequence of generated IDs becomes predictable after observing a few outputs. For secure implementations, always use cryptographically secure pseudo-random number generators (CSPRNG) such as the Web Crypto API\'s crypto.getRandomValues() in browsers, or the crypto module in Node.js.

Secure Identifier Generation

Generate unpredictable, secure identifiers without any information leakage.

Launch Secure UUID Generator

2. Avoid v1 for Public Identifiers

Version 1 UUIDs are constructed using the MAC address of the host network card and a timestamp. Exposing UUID v1 values in public APIs or URLs allows malicious actors to reverse-engineer the MAC address of your database servers and determine the exact timing of resource creation, which can aid in targeted network attacks or database enumeration.

3. Do Not Use v3 or v5 for Secrets

Because UUID versions 3 and 5 are namespace-based, they are completely deterministic. Given the same namespace and input name, the output will always be the same. Utilizing v3 or v5 for password reset tokens, session tokens, or API keys is an anti-pattern because any attacker who discovers the namespace and the input structure can easily generate the corresponding token.

4. Prevention of ID Enumeration

By replacing auto-incrementing integer IDs with UUIDs, you prevent automated scraping and enumeration attacks. An attacker cannot simply add 1 to a URL parameter to view another user's profile. However, this does not replace proper access control policies (RBAC/ABAC); UUIDs are opaque identifiers, not security credentials.

Generate Secure UUIDs

Launch our high-performance synthesis engine on MyUtilityBox for cryptographically secure UUID v4 identifiers.

Open MyUtilityBox