How safe is it to remove the "-" in a randomly generated UUID?

I have this code:

String uuid = UUID.randomUUID().toString().replace("-", "");

How safe is it to remove the "-" in the generated UUID? Would removing it defeat the purpose of it being globally unique and make the generated UUID prone to collisions?

> how safe if is to remove the "-" in the generated UUID

It's 100% safe since the dashes aren't part of the value. The String UUID is a hex representation of a 128 bit value. The dashes are there just for display purposes so UUIDs will be a bit easier on the eyes.

Just be careful when passing UUIDs in String form to external systems such as external APIs, databases, and things of that nature. They might be expecting the dashes to be there.

Let’s say I want to call the White House. Their phone number is (202) 456-1111. If I delete all the dashes and parentheses from that phone number, I’m left with 2024561111. I didn’t lose any information in the course of doing this - I just changed the formatting in a way that makes it harder to read. If I punch this number into my phone, it’ll still make the call properly because the phone system still knows that the first three digits are the area code and the next seven are the main number.

In the same way, the dashes in a UUID are like the extra punctuation in a phone number - they’re included so that it’s easier for a human to read some underlying large number. In UUIDs, that number is 128 bits long and is written in hexadecimal, so unlike a phone number it’s less “obviously” a number, but the basic principle is the same. Deleting the dashes won’t change the number and thus won’t impact security.

Now, what might happen is that doing so breaks formatting compatibility across platforms. Let’s go back to the phone number analogy. Some websites I’ve used won’t let me type in 2024561111 as a phone number. They’ll insist that I put in spaces, dashes, and parentheses, as in (202) 456-1111. (I’m not a fan of sites like that, but that’s another story.) So removing the dashes from your UUID could potentially be an issue if you need to pass a string representation of the UUID into some other process or service that’s expecting the full formatting, including the commas.

The dashes in a properly formed UUID are not randomly placed in the string - it's a specific format detailed in the RFCs - http://www.ietf.org/rfc/rfc4122.txt

So, removing the dashes won't affect the uniqueness of the UUID.

However, it may cause issues with libraries that expect the dashes as part of a UUID to validate it as a UUID.

Why do you want to remove them?

You can check how the string is created by reading the javadoc:

UUID                   = <time_low> "-" <time_mid> "-"
                      <time_high_and_version> "-"
                      <variant_and_sequence> "-"
                      <node>
time_low               = 4*<hexOctet>
time_mid               = 2*<hexOctet>
time_high_and_version  = 2*<hexOctet>
variant_and_sequence   = 2*<hexOctet>
node                   = 6*<hexOctet>

So removing the - is fine, you can reinsert them at the correct position later on if you want, or recreate a UUID object containing the same information.

Regarding uniqueness: https://stackoverflow.com/questions/1155008/how-unique-is-uuid

The UUID is a 128-bit number.

The format in hexadecimal with hyphens is only a display rendering for human consumption. It is one of several possible display renderings, and the display format, with or without hyphens, is NOT the UUID itself.

The UUID is a 128-bit number. The four bits of digit M indicate the UUID version, and the one to three most significant bits of digit N indicate the UUID variant. The binary encoding of UUIDs varies between systems. Many systems encode the UUID entirely in a big-endian format.