Algorithm to generate secret needs to be analyzed, a lot.

[wlaurance]

Relevant source code https://github.com/t3mpus/tempus-api/blob/master/models/user_credential.coffee#L18-L21

Statistical Analysis of SHA256. Seems like you good read, http://www.femto-second.com/papers/SHA256LimitedStatisticalAnalysis.pdf

This secret is generated per sign up or secret key reset, thus could easily be a more expensive computational task to increase distribution if necessary.