[berkes]

> major attack vector

That seems hyperbolic to me. If you rely on UUID for security, it seems, to me, something is wrong in your architecture and the security flaw lies there.

When would you, legitimate, rely on GUID/UUID for security?

[oefrha]

You can totally use uuid4 as password reset tokens, and they could be slightly nicer than random urlsafe strings for your database, provided they’re generated securely, not from givemeguid.com.

[speedgoose]

You can use the UUID v4 as a secret I guess.