Right, some kinds of UUIDs achieve their uniqueness precisely by leveraging predictability. The unpredictable kind are mostly just random bits formatted in a particular (not very efficient) way.

The random ones don't have to be unpredictable randomness, either. For example, you might seed a good RNG with the local MAC address and boot time and then use that to generate v4 UUIDs. As far as I can tell, this would be perfectly legal and should produce UUIDs that are as likely to be unique as any other, but they would also be easy for an attacker to predict.

Basically the whole "version" UUIDs is a stupid fever dream. Any sane implementation should return 16 random bytes and be done. The fact that there's a spec for this and it's longer than 2 sentences is just wrong.

I think they were just afraid of the birthday paradox. But I agree, just grabbing some random bytes really is the way to go.

Although, I'm a bit afraid of the birthday paradox, maybe we should use 20 bytes instead....

The idea that a UUID should have a "version" and the random one uses 122 bits instead of 128 bits sorta makes ya wonder how concerned they were.

Yeah, spot on. At least now in 2015 using 16 bytes for id's and hashes no longer seems like a lot of memory or storage.

It pains me to see people inventing weird id schemes for every app and api.