Collision Probability: Are 128 Bits Really Safe?
Many developers worry that truncating SHA-256 to 128 bits might cause collisions. The mathematics says otherwise. In practice, the chance of two different seeds producing the same UUID is so small it will never happen in real testing scenarios.
The Birthday Paradox Explained
The birthday paradox tells us how many items we need before a collision becomes likely. For 128 bits, you would need roughly 2 to the power of 64 items before the probability reaches fifty percent. That number is larger than all the grains of sand on Earth.
Real-World Numbers
Even if you generate one billion seeded UUIDs every second for ten years, the probability of a single collision remains far less than one in a trillion. Most test suites contain fewer than ten thousand records total.
Testing vs Production
In production systems, true randomness is important for security. In testing, collisions only matter if they break your assertions. With reasonable seed names, you control uniqueness yourself, making the math even safer.
Extra Safety Margin
Using SHA-256 instead of the weaker SHA-1 gives an enormous safety buffer. Even if a theoretical attack existed on SHA-256, you would still need astronomical computing power to find a collision in a test dataset.
FAQ
How many UUIDs can I safely create?
Billions per project with zero worry. Most teams never exceed a few thousand.
Should I worry about birthday attacks?
No. The numbers required are impossible in testing contexts.
Is 128 bits enough for production?
For testing yes; for production secrets use full random UUIDs.
You can confidently use 128-bit seeded UUIDs knowing collisions will never affect your work.