Add a technical explanation of the 256 character cap on the alphabet

[davidklebanoff]

The README says the "alphabet must contain less than 256 symbols.". It would be nice to have a technical explanation of why. Hopefully something more than "It will not be secure." :)

[ai]

It is just algorithm limits. Symbols on 256, 257, … positions will be ignored.

I change text a little 9796c48

Maybe you can do it better.

[ai]

If you didn’t want to explain it better, I will release 1.0.

[davidklebanoff]

You'll want to address the language here: https://github.com/ai/nanoid/blob/039fe3fca8bd3d0be3103bc010e781d5d87078cc/format.js#L4

Which states "Alphabet must contain 256 symbols or less. Otherwise, the generator will not be secure.". It's both wrong because it should be "less than 256 symbols", and also the part about it "not being secure" is confusing.

And possibly add a length check in the function to throw an appropriate error for alphabets greater than 255 characters.

[ai]

It's both wrong because it should be "less than 256 symbols"

Nope, random byte has values between 0...255 (from 0), so 256 symbols (we start to count from 1) could be matched in this interval.

not being secure

I am open for suggestion :). It is less secure because we use random bytes per symbol, so any >255 symbols will be ignored in ID.

And possibly add a length check in the function to throw an appropriate error for alphabets greater than 255 characters.

Do you know real cases for this? ;)

[davidklebanoff]

I was just going off the language you used in the commit you were referencing (9796c48), which stated "Only alphabets with less than 256 symbols are supported." Either format.js is wrong or the README is wrong as they conflict. :)

[ai]

Ouh, understand :).

I copied text from generate.js to README.md. Is it OK right now?