GUIDs (often called UUIDs) are widely used in modern web applications. One common use for UUIDs is the generation of one-time-use tokens. These can used for password reset, and e-mail confirmation routines, for example.

There are five versions of UUIDs defined in RFC 4122. Out of the five, four are generated in a predictable manner. This means it is possible for someone to predict future UUIDs based on a sample generated by the target application.

Version four is the only UUID version expected to be randomly generated. Therefore, for situations where predictable tokens are not desired (e.g. password reset tokens), all other versions should be avoided.

When using GUIDs/UUIDs for generating tokens that should not be predictable, use version four.

This example shows a UUID v1 being used for a password reset routine.

UUID RFC.

Daniel Thatcher In GUID We Trust article.

UUID exploitation tool.