Ah sorry I didn’t make it entirely clear. We aren’t trying to build a PRNG from SHA, we’re just trying to create a single unique string to use as a user id. The old algorithm took something like 16 calls to random and drew from a 64 character alphabet for each call, thereby creating a 16 char long string. But that was creating collisions. So instead we now take the browser fingerprint (plus current time and a call to random), hash it with SHA1, and convert that into a 30 character string drawn from a 64 char alphabet.

The SHA1 output is a 160 bit number, however in practice we don’t get that amount of randomness. We estimate that the browser fingerprint plus current time and a call to random contains only about 80 bits of entropy. That’s still in the range that we won’t see any collisions in practice, and so far that seems to be holding up.