UUID v1 vs v4
UUID v1 (Time-Based)
Pros
- Roughly sortable by creation time
- Guaranteed uniqueness via MAC address + timestamp
- No collision risk in distributed systems
- Useful for ordered database indexes
Cons
- Leaks MAC address — privacy concern
- Predictable if timestamp and node ID are known
- Clock regression can cause duplicates
- Not suitable for public-facing identifiers
UUID v4 (Random)
Pros
- No embedded machine or timestamp data
- Unpredictable — safe for public tokens
- Simple generation with crypto random bytes
- Default choice for most applications
Cons
- Not sortable by creation time
- Theoretical collision risk (astronomically low)
- Random distribution can fragment B-tree indexes
- No natural ordering for time-series queries
Verdict
Default to UUID v4 for public identifiers, API resources, session tokens, and any ID exposed to users or clients. Its unpredictability prevents enumeration attacks. Use UUID v1 only in trusted internal systems where time-ordering aids database performance and MAC address leakage is not a concern. For most web applications, v4 is the correct choice. If you need sortable IDs with privacy, consider UUID v7 or ULID instead of v1.
Related Tools
Deeper Reading
Frequently Asked Questions
Can UUID v4 collide?
Theoretically yes, but the probability is negligible (1 in 2^122). Safe for all practical applications.
Why does v1 leak privacy?
v1 embeds the generating machine's MAC address and timestamp, which can identify hardware and creation time.