How safe is it to remove the "-" in a randomly generated UUID?

how safe if is to remove the "-" in the generated UUID

It's 100% safe since the dashes aren't part of the value. The String UUID is a hex representation of a 128 bit value. The dashes are there just for display purposes so UUIDs will be a bit easier on the eyes.

Just be careful when passing UUIDs in String form to external systems such as external APIs, databases, and things of that nature. They might be expecting the dashes to be there.


Let’s say I want to call the White House. Their phone number is (202) 456-1111. If I delete all the dashes and parentheses from that phone number, I’m left with 2024561111. I didn’t lose any information in the course of doing this - I just changed the formatting in a way that makes it harder to read. If I punch this number into my phone, it’ll still make the call properly because the phone system still knows that the first three digits are the area code and the next seven are the main number.

In the same way, the dashes in a UUID are like the extra punctuation in a phone number - they’re included so that it’s easier for a human to read some underlying large number. In UUIDs, that number is 128 bits long and is written in hexadecimal, so unlike a phone number it’s less “obviously” a number, but the basic principle is the same. Deleting the dashes won’t change the number and thus won’t impact security.

Now, what might happen is that doing so breaks formatting compatibility across platforms. Let’s go back to the phone number analogy. Some websites I’ve used won’t let me type in 2024561111 as a phone number. They’ll insist that I put in spaces, dashes, and parentheses, as in (202) 456-1111. (I’m not a fan of sites like that, but that’s another story.) So removing the dashes from your UUID could potentially be an issue if you need to pass a string representation of the UUID into some other process or service that’s expecting the full formatting, including the commas.