random string generated by openssl is not so random.

Question

When I use openssl rand to generate a random string, why does it always have a = at end?

If I reduce the number of bits to 16 I get two equals (==) at the end always. I am wondering why it happens so. man

for example in a Macbook running OS X maverick

$ Darwin aria.local 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64
$ for i in $(seq 1 10)
for> do
for> openssl rand -base64 32
for> done

dDzk7B6SrcMnpkO2LLM4TaWKMjzBXHj1CmLO4t0HXdo=
QtP2kxQBg+yOCmowvEDWNdrSLobYyeXRz6HLDq3Q6rA=
iRmlr1JxRYjVGq3zkX9jgAoSAbu1F2Wm6CRJ9ZvYCR0=
Z/Wg//Z4Xjpzl3/ve87D2Pyk+dUgm6XHpFpyyeGXJKw=
XAVdp2B0RJlPCYRBBs3Q+C8X8aEbLQgXgXo5bhZkn8s=
eu8JcAwupYrX7GPfVnihTKXbzSsRYyW8VUWi+TN8oYA=
ZHPIj9PgiOi2SPwfrO4nKH1gIFEXlgXM320yDdpOelw=
7zjdIlSDT2lYiUziGx4Nc+uhoAlfTQKnXW+wB5omG6M=
nu+QKhD50dE6EQqCD56sPzMSARWuqi2d39UVtTyk0+w=
Wd4xQ/Eh1lnCiSn9cds4/mRc3FTEunhvrGskl3rJwZ4=

I repeated this in a debian box I own,

$ uname -a
Linux ip-10-229-17-26 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
$ for i in $(seq 1 10)  
> do
> openssl rand -base64 32
> done

pq+imMSMaXg2qW25d+/QCh3fVv/QevgdOXYZc4UlDRk=
lDm4Rno9jUikYOd0II225J97dExqLs4yl2gDSRDrafU=
QyYGkx1tgEWOiAmK4fTdbsnDPcfhjh3WejcBr1JdRlE=
P9RRi6JDo0/cWVXtReDJ6lA0XKiT9CB8bMePl7vMH2U=
z/TSy0qAfijl9mCKjxGsZfJySnbqGO3ML2/QYwsent8=
zLjDTakHyp6cJn16kKuTeQLY3azVuA/gTJ5XZshoahY=
uVxA/YweYs4HFxYa+3aJG3c5V0wFNmX+6VjZwjgbr8Q=
7Lx4W6t4GkfoZez3pspOVop2lL1KuTQgGn9KJtaWU44=
OF5DfOP4c/V+WmxvBpS5QRyGd2j+cqoDKUkwlTd1T0I=
2ANn1T07mmECnmzOgLDMjJvU/VrRVWbkCf6qgBQpg3A=

Answer 1

The "=" and/or "==" is comming from the base 64 padding. The "==" and/or "=" sequence indicate that the last group contained only 8 or 16 bits, respectively.

Have a look at this wikipedia post.

and a copy/paste from above:

When decoding Base64 text, four characters are typically converted back to three bytes. The only exceptions are when padding characters exist. A single '=' indicates that the four characters will decode to only two bytes, while '==' indicates that the four characters will decode to only a single byte.