Generating unique Hash in Java

Guys,

I need to generate a unique hash key for all users that are registering on my application and send them a confirmation email link that will activate their account. I'm considering to use UUID for generating the unique id. I'm trying to generate it based on the users email address. I would like to know if that would be a correct approach??

I'm trying something like:

UUID hash = UUID.fromString(emailAddress);

I would like to know if this is this solid, secure enough or do I have to do more and use a Crypto kind of an implementation to acheive this??

I would like to know which one is better??

MD5
SHA1
UUID

There is a contradiction in the term "unique hash key". Hash codes are not unique - a hashing algorithm will always have multiple possible inputs that result in the same hash code. (It's very easy to see theoretically why this is so - the hash code has fewer bits than the original data, so if there is a mapping from original data to hash keys, there must be some overlap). It's not possible to create unique IDs with a hashing algorithm.

MD5 and SHA1 are hashing algorithms, so they do not guarantee that you get a unique output for any input.

UUID is a universally unique identifier. It is not a hashing algorithm.

Jothi Shankar Kumar wrote:UUID hash = UUID.fromString(emailAddress);

This will not work and will most likely give you an IllegalArgumentException. You cannot put any arbitrary string into this method - it has to be a string that represents an UUID (as returned by UUID.toString()). It's not a method that generates a unique ID based on arbitrary input.

If you're looking for something that creates a unique ID based on arbitrary input - such a method can't exist in principle. (If you invent a method that does this, then you have discovered the ultimate compression algorithm and you'll win a Nobel prize in information theory... See Jan Sloot).

So how could I acheive a unique key for my case here?

Generate a unique ID, then store in a database somewhere which ID is associated with which user. When the user tries to activate the account using the ID, look the user's information up in the database.

You can create random unique IDs using the UUID class:
UUID id = UUID.randomUUID();
But, as I explained above, you cannot create unique identifiers based on some arbitrary input such as the user's e-mail address.

Jothi Shankar Kumar wrote:So how could I acheive a unique key for my case here?

Hash and unique key are two different things, but to answer your question...

If you want to generate a key for a single application, then the UUID class should be fine. If it is a group of applications, meaning that you can be generating it from many applications and on many machines -- then you probably need to create your own class that uses the host, pid, and probably system time. Regardless, it is probably best to use a service (such as a database) to generate the id.

Henry

Jesper Young wrote:Generate a unique ID, then store in a database somewhere which ID is associated with which user. When the user tries to activate the account using the ID, look the user's information up in the database.

You can create random unique IDs using the UUID class:
UUID id = UUID.randomUUID();
But, as I explained above, you cannot create unique identifiers based on some arbitrary input such as the user's e-mail address.

I understand what you meant here. But how unique is the randomUUID() generator?

The API documentation of class java.util.UUID explains that this method generates a type 4 (or version 4) UUID. The exact details of the algorithm are explained in RFC 4122.

For practical purposes, you don't need to worry that the generated IDs could be non-unique.

Somewhat convincing answer here... http://en.wikipedia.org/wiki/Universally_Unique_Identifier#Java

Jothi:

I'm not sure what you mean by 'somewhat convincing'. I went to the page, and it's not an argument, but an explanation.

John.

It was convincing to me that the unique key that I'd be generating will not be a duplicate!

Jothi Shankar Kumar wrote:I need to generate a unique hash key for all users that are registering on my application and send them a confirmation email link that will activate their account. I'm considering to use UUID for generating the unique id. I'm trying to generate it based on the users email address. I would like to know if that would be a correct approach??

No it's not. The best way is to keep a global counter (starting at 0). When a user registers he/she gets the counter number as id, and then you increment the counter by 1.

In this way you're 100% sure each user gets a unique id. There is not other way to ensure that really.

Also, from a principle standpoint, the id's will be random. They're random in the sense that no user can know what number they're going to get.

Ulrika Tingle wrote:

Jothi Shankar Kumar wrote:I need to generate a unique hash key for all users that are registering on my application and send them a confirmation email link that will activate their account. I'm considering to use UUID for generating the unique id. I'm trying to generate it based on the users email address. I would like to know if that would be a correct approach??

No it's not. The best way is to keep a global counter (starting at 0). When a user registers he/she gets the counter number as id, and then you increment the counter by 1.

In this way you're 100% sure each user gets a unique id. There is not other way to ensure that really.

But you have to synchronize the counter, or you will run into problems in a multi-threaded environment. AtomicLong can help out here to do the hard work, with its incrementAndGet() and getAndIncrement() methods, the synchronized versions of ++l and l++.

Guys, this seems to be running totally off the topic. I'm looking for a solution to send the user an email which has a registration key and it is this registration key that I have to generate uniquely for each user.

Why will I create a counter starting at 0 and increment that for each user when I store the user details in the database. Ofcourse I have the primary key. Don't I?

a suitably large random string would work then. store the string in the DB, compare when they return.
It doesn't need to be unique if they send their email address too.