1 of 1 people found this helpful
Best Practice: Use something that nobody else can figure out easily <--- Good Luck
This principal should/can be used to generate any type of key, such as passwords.
There's an exact answer to this: if you abide by the common NIST recommendation (as a US-based company, this is a good idea) it should contain a minimum of 112 bits of entropy as it will be used as a SHA-1 key.
If you confine yourself to case-insensitive hex characters (0–9, A-F) 112 bits = 28 random characters.
If you use the wider (a-z, A-Z, 0–9) range then you need 22 characters. And so on.
You should use an online random key generator to gen the key. Don't try to hand-enter it if you want real randomness (the key won't be hand-entered later so it is easily machine-generated).
awesome thank you so much Sanford!