Generate password reset token through UUID

Question

I am looking for mechanism to generate random unique alpha numeric key for resetting user password.

I've goggled a lot in this direction, but looks like this thing is not obvious thing.

I've tried something like that:

new String(encodeBase64URLSafe(UUID.randomUUID()));

But after reading the following article: Is UUID.randomUUID() suitable for use as a one-time password? looks like that this way is not fully correct.

It would be really appreciate if you answer on the following questions:

Which is secure way to generate such token using UUID?
Do we need to convert UUID string to base64 in order to have safe URLs or it would be enough to remove dashes from generated string?
Would be it correct to use mechanism from this link in such purpouses How to generate a random alpha-numeric string?, why?

score 8 · Accepted Answer · answered Jul 06 '15 at 11:17

Using an UUID is safe and secure. The linked article just says that an UUID is maybe a little too much for this kind of security. But well ... if you are "too" secure, no one will blame you.
An UUID is just alpha numeric characters and dashes. So if you need to put it in a query string or an URL, you have nothing to escape. You can remove the dashes to save some space if you want. But it is not required.
This mechanism is secure too. Both (UUID and this one) will works.

For this kind of security, all you have to do is to ensure that your token is randomly generated (even partially).

Thanks you Magus, It is exactly what I was looking for! – fashuser Jul 06 '15 at 11:28 — fashuser, Jul 06 '15 at 11:28

1 Answers1