Generating Secure Random Passwords

[sstubbs]

Hi,

Is using the following secure for generating user passwords?

random_string: String = thread_rng().sample_iter(&Alphanumeric).take(30).collect();

[burdges]

If users must ever manually copy or worse remember this, then checkout https://crates.io/search?q=diceware

We rarely encounter birthday bound problems with passwords used by humans, so normally going above 128 bits of entropy harms user experience needlessly. Alphanumeric has 2*26 + 10 = 62 symbols, so 5.95 bits of entropy per symbol. Your code gives 178 bits of entropy. It's fine if you use excessive passwords when only machines use I guess.

[sstubbs]

ok thanks a lot. Some passwords are for people and some are for other software so I will use diceware as you suggest for the ones used by people.

[dhardy]

Question answered, so I guess we can close this. But before we do, adding documentation to this effect somewhere (perhaps on the Alphanumeric type, or perhaps just in the book) may be worthwhile. @burdges would you like to make a PR?