Can someone tell me How good is Java's UUID.randomUUID?

Question

I know that randomized UUIDs have a very, very, very low probability for collision in theory, but I am wondering, in practice, how good Java's randomUUID() is in terms of not having collision? Does anybody have any experience to share?

Answer 1

UUID uses java.security.SecureRandom, which is deemed to be "cryptographically strong". While the original implementation is not defined and can vary between JVMs (meaning that any particular statements made are valid only for one specific JVM), it does mandate that the output must pass a statistically random number generator test.

It's forever desirable for an implementation to include subtle bugs that ruin all this (see OpenSSH key generation bug) but I don't believe there's any concrete idea to worry about Java UUIDs's randomness.