UUIDs (Universally Unique Identifiers) are 128-bit identifiers that are unique across space and time without requiring a central authority. They are ubiquitous in distributed systems, databases, and APIs. But not all UUIDs are created equal — different versions trade off uniqueness guarantees, randomness, and determinism. This article explains the major UUID versions, their generation methods, practical use cases, security considerations, and common pitfalls.
What Is a UUID?
A UUID is a 128-bit value typically represented as a 36-character string in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (32 hex digits with 4 hyphens). The standard is defined by RFC 4122. The version is indicated by the 13th character (hex digit), and the variant is indicated by the 17th character (hex digit). For example, in 550e8400-e29b-41d4-a716-446655440000, the 4 means it's a UUID v4.
UUID Versions
There are five main versions defined in RFC 4122, plus a few unofficial ones (v6, v7, v8). Here's a breakdown:
UUID v1 (Time-Based)
- Generation: Combines the current timestamp (100-nanosecond intervals since October 15, 1582), a clock sequence, and the node's MAC address.
- Uniqueness: High — time + MAC ensures uniqueness across machines.
- Determinism: Yes — given the same timestamp and MAC, the same UUID is produced.
- Use cases: Distributed systems where ordering by creation time is useful (e.g., event logs, version vectors).
- Pitfalls: MAC address exposure can be a privacy risk; clock skew can cause collisions; sequential nature can lead to index fragmentation in databases.
UUID v4 (Random)
- Generation: 122 random bits (6 bits are fixed for version/variant). Uses a cryptographically secure random number generator (CSPRNG).
- Uniqueness: Extremely high — probability of collision is negligible (2^122 possible values).
- Determinism: No.
- Use cases: Primary keys in databases, session identifiers, API tokens, any scenario where unpredictability is desired.
- Pitfalls: Randomness source matters — weak PRNG can produce collisions; no ordering; larger than auto-increment integers.
UUID v3 and v5 (Name-Based)
- Generation: Hash a namespace UUID and a name string using MD5 (v3) or SHA-1 (v5), then truncate to 128 bits.
- Uniqueness: Deterministic — same namespace + name always produces the same UUID.
- Use cases: Generating consistent identifiers from a canonical name (e.g., DNS names, URLs, object IDs).
- Pitfalls: Collisions possible if hash function has weaknesses (MD5 is considered broken for security); limited to 128-bit output.
UUID v6, v7, v8 (Draft/Experimental)
- v6: Reorders v1 fields to make it sortable by time (lexicographically).
- v7: Encodes a Unix timestamp (milliseconds) plus random bits — sortable and random.
- v8: Free-form, allows custom data.
- Use cases: Database-friendly UUIDs that reduce index fragmentation (e.g., v7 is recommended for new systems).
Comparison Table
| Version | Basis | Deterministic | Sortable | Privacy Risk | Collision Probability |
|---|---|---|---|---|---|
| v1 | Time + MAC | Yes | Yes (roughly) | High (MAC exposed) | Very low |
| v4 | Random | No | No | None | Negligible |
| v3 | MD5 hash | Yes | No | None (if namespace private) | Low (MD5 weakness) |
| v5 | SHA-1 hash | Yes | No | None | Very low |
| v7 | Timestamp + random | No | Yes | None | Negligible |
Security and Performance Considerations
- Randomness quality: Always use a CSPRNG (e.g.,
/dev/urandomon Linux,crypto.randomUUID()in Node.js) for v4. AvoidMath.random()orrand()— they are predictable and can lead to collisions or security issues. - MAC address exposure: UUID v1 leaks the node's MAC address, which can be used to identify hardware. In cloud environments, this can be a privacy concern. Use v4 or v7 instead.
- Index fragmentation: In databases, random UUIDs (v4) can cause B-tree index fragmentation because they are not sequential. UUID v7 (time-ordered) mitigates this.
- Storage size: UUIDs are 16 bytes (128 bits) — larger than auto-increment integers (4-8 bytes). Consider using binary(16) or a dedicated UUID type if available.
Worked Example: Generating UUIDs with Our Tool
Let's walk through generating UUIDs of different versions using our UUID generator.
- UUID v4 (Random): Click "Generate UUID v4" — the tool uses
crypto.getRandomValues()(CSPRNG) to produce a random UUID. Example output:
9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d
- UUID v1 (Time-Based): Click "Generate UUID v1" — the tool combines the current timestamp, clock sequence, and a random node (to avoid MAC exposure). Example:
c232ab00-5294-11ed-bdc3-0242ac120002
- UUID v5 (Name-Based): Enter a namespace (e.g., DNS:
6ba7b810-9dad-11d1-80b4-00c04fd430c8) and a name (e.g.,example.com), then click "Generate UUID v5". The tool computes SHA-1 and truncates:
cfbff0d1-9375-5685-968c-48ce8b15ae17
Try it in our UUID generator to see live examples.
Common Pitfalls
- Using UUID v1 in public-facing systems — exposes MAC address, a privacy risk.
- Using weak randomness for v4 —
Math.random()in JavaScript is not cryptographically secure; always usecrypto.randomUUID()or equivalent. - Assuming UUIDs are always unique — collisions are astronomically unlikely but theoretically possible; design systems to handle them gracefully (e.g., retry on insert).
- Using UUIDs as primary keys in large databases without considering performance — random UUIDs cause index fragmentation; consider v7 or a sequential UUID.
- Using UUID v3 instead of v5 — MD5 is considered weak; prefer SHA-1 (v5) for new implementations.
FAQ
What is the difference between UUID v4 and v7?
UUID v4 is fully random, while v7 encodes a Unix timestamp (milliseconds) in the first 48 bits, making it sortable by creation time. v7 reduces database index fragmentation and is recommended for new systems where time ordering is beneficial.
Can two UUIDs ever collide?
Yes, but the probability is extremely low. For UUID v4, there are 2^122 possible values. The chance of collision is about 1 in 2^71 for 1 billion UUIDs. In practice, you can ignore it, but systems should still handle duplicates gracefully (e.g., retry logic).
Should I use UUIDs as primary keys in my database?
It depends. UUIDs offer global uniqueness and avoid sequential enumeration, but they are larger (16 bytes vs 4-8 bytes for integers) and can cause index fragmentation if random. Use UUID v7 or a sequential UUID type for better performance. Many databases (PostgreSQL, MySQL 8.0+) have native UUID types.
Is UUID v1 safe to use in public APIs?
Not recommended — v1 includes the MAC address of the generating machine, which can be used for device tracking. Use v4 or v7 instead.
How do I generate a UUID in Node.js?
Use the built-in crypto.randomUUID() (Node.js 14.17+) for v4, or the uuid npm package for other versions:
const { v4: uuidv4 } = require('uuid');
console.log(uuidv4()); // e.g., '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'