I've audited a lot of password generators. One thing I see come up occasionally is shuffling the source characters or word list before using a CSPRNG to pick one at random.
For example, something like (pseudocode):
chars = digits + lower + upper + symbols
chars.shuffle()
chars[rng.randint(0, chars.length - 1)]
Shuffling the source character set doesn't increase the entropy of the generation process.
A CSPRNG picking from an ordered list is just as random as one picking from a shuffled list.
Aaron Toponce ⚛️:debian: /
npub1t9…t8529
2024-07-26 00:06:39
Author Public Key
npub1t9cz9v7zph5jvadd8rjfp25msrx6r0hdxnsyfmx88k8qp3pvv04szt8529Published at
2024-07-26 00:06:39Event JSON
{
"id": "ffea9d8e1fb7e7bf38efe3846b8b2f7a4bea1d0af5afcce6e6855f457b5bae1e",
"pubkey": "597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb",
"created_at": 1721945199,
"kind": 1,
"tags": [
[
"proxy",
"https://fosstodon.org/@atoponce/112849400598613250",
"web"
],
[
"proxy",
"https://fosstodon.org/users/atoponce/statuses/112849400598613250",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fosstodon.org/users/atoponce/statuses/112849400598613250",
"pink.momostr"
],
[
"-"
]
],
"content": "I've audited a lot of password generators. One thing I see come up occasionally is shuffling the source characters or word list before using a CSPRNG to pick one at random.\n\nFor example, something like (pseudocode):\n\nchars = digits + lower + upper + symbols\nchars.shuffle()\nchars[rng.randint(0, chars.length - 1)]\n\nShuffling the source character set doesn't increase the entropy of the generation process.\n\nA CSPRNG picking from an ordered list is just as random as one picking from a shuffled list.",
"sig": "2dc9c88d2bf05a21e9226645880f51d25d9557f57db6a32bd10b3612385575cbcd11e7b73cbd32f496d436a55e2e54e21e7914178c10a383229d2bc2c9259173"
}