diff --git a/spec/RestCreate.spec.js b/spec/RestCreate.spec.js
index 244555075a..b769a3b576 100644
--- a/spec/RestCreate.spec.js
+++ b/spec/RestCreate.spec.js
@@ -57,6 +57,50 @@ describe('rest create', () => {
       });
   });
 
+  it('handles anonymous user signup', (done) => {
+    var data1 = {
+      authData: {
+        anonymous: {
+          id: '00000000-0000-0000-0000-000000000001'
+        }
+      }
+    };
+    var data2 = {
+      authData: {
+        anonymous: {
+          id: '00000000-0000-0000-0000-000000000002'
+        }
+      }
+    };
+    var username1;
+    rest.create(config, auth.nobody(config), '_User', data1)
+      .then((r) => {
+        expect(typeof r.response.objectId).toEqual('string');
+        expect(typeof r.response.createdAt).toEqual('string');
+        expect(typeof r.response.sessionToken).toEqual('string');
+        return rest.create(config, auth.nobody(config), '_User', data1);
+      }).then((r) => {
+        expect(typeof r.response.objectId).toEqual('string');
+        expect(typeof r.response.createdAt).toEqual('string');
+        expect(typeof r.response.username).toEqual('string');
+        expect(typeof r.response.updatedAt).toEqual('string');
+        username1 = r.response.username;
+        return rest.create(config, auth.nobody(config), '_User', data2);
+      }).then((r) => {
+        expect(typeof r.response.objectId).toEqual('string');
+        expect(typeof r.response.createdAt).toEqual('string');
+        expect(typeof r.response.sessionToken).toEqual('string');
+        return rest.create(config, auth.nobody(config), '_User', data2);
+      }).then((r) => {
+        expect(typeof r.response.objectId).toEqual('string');
+        expect(typeof r.response.createdAt).toEqual('string');
+        expect(typeof r.response.username).toEqual('string');
+        expect(typeof r.response.updatedAt).toEqual('string');
+        expect(r.response.username).not.toEqual(username1);
+        done();
+      });
+  });
+
   it('test facebook signup and login', (done) => {
     var data = {
       authData: {
diff --git a/src/RestWrite.js b/src/RestWrite.js
index 446a2db9a2..e1af0b840d 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -56,7 +56,7 @@ function RestWrite(config, auth, className, query, data, originalData) {
     this.data.updatedAt = this.updatedAt;
     if (!this.query) {
       this.data.createdAt = this.updatedAt;
-      this.data.objectId = newObjectId();
+      this.data.objectId = newStringId(10);
     }
   }
 }
@@ -319,8 +319,7 @@ RestWrite.prototype.transformUser = function() {
     // Check for username uniqueness
     if (!this.data.username) {
       if (!this.query) {
-        // TODO: what's correct behavior here
-        this.data.username = '';
+        this.data.username = newStringId(25);
       }
       return;
     }
@@ -714,13 +713,13 @@ RestWrite.prototype.objectId = function() {
   return this.data.objectId || this.query.objectId;
 };
 
-// Returns a unique string that's usable as an object id.
-function newObjectId() {
+// Returns a unique string that's usable as an object or other id.
+function newStringId(size) {
   var chars = ('ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
                'abcdefghijklmnopqrstuvwxyz' +
                '0123456789');
   var objectId = '';
-  var bytes = crypto.randomBytes(10);
+  var bytes = crypto.randomBytes(size);
   for (var i = 0; i < bytes.length; ++i) {
     // Note: there is a slight modulo bias, because chars length
     // of 62 doesn't divide the number of all bytes (256) evenly.