...

The second way is to use a passphrase that is at least 8 characters long. The mi2b2 client will first generate a salt using the user's username that is used to log onto i2b2. The salt is randomly generated using the SHA1PRNG (SHA1 Pseudo Random Number Generator) algorithm. The random number generator is seeded with the user's username. (This is the reason why two users using the same passphrase will generate two different keys.) If no such algorithm exists on the particular platform, the platform default will be used instead. The salt is 16 bytes long. Then the following process is repeated:

1. A temporary array is created to contain the concatenation of the The passphrase and the salt are concatenated and saved in a temporary array of bytes.
2. A 256-bit long cryptographic hash (using SHA-256) of the temporary array is computed.
3. The hash is saved as the new passphrase.
4. Restart in the first step.

These steps repeat for 1024 times. The final passphrase is then used as the key. The use of salt and the 1024 repetition is to discourage and slow down dictionary and brute force attacks at guessing the passphrase.

...