I recently came up with an interesting idea for making better passwords you might like to implement. OK, so there is this website that generates true random numbers using atomic decay. It has a Java library but also an http api if you don't use Java (I don't know what language you used for keystash).

Because the numbers are true random, this makes it more ideal for password generation as it has even distribution. It also runs over an encrypted https connection making it hard to intercept the numbers used.

On the downside, you have to trust the website and the machine that makes the numbers and hope nobody takes the time to decrypt that connection you made when generating the numbers.

Well, I came up with a solution to this problem... You take a true random number from this website, then add it to a fractional pseudorandom number greater than the negative of the true random number and less than or equal to the number of choices in the array minus the true random number generated by Java's SecureRandom class and round it to the nearest whole number. This is a way of getting around the uneven distribution of even + even = even, odd + odd = even, even + odd = odd. In other words any equation involving adding numbers is more likely to end up even than odd. If you add a random fractional number, it has an equal chance of staying even or switching to odd when rounding is involved. You use the resulting number to select the character or number from the array of possible choices.

This method should lead to more even distribution of the possibilities and because there is an additional pseudorandom number added to the original number, the result is trustless. Even if the true random number website starts to broadcast the same number, over and over again to try and control the resulting password they will just end with a standard pseudorandom number between zero and the index of the last result in the array which is no worse than where you started off just using your standard pseudorandom number.

So really there is nothing to lose with this method and true random password generation to gain.