[twistedpair]

Hmm... rate limit, anyone?

Just thinking here. If you sadly used just 26 characters in this space (rather than the 64 you can easily get in a URL), 26^7 ~= 8B codes. So, even if you perfectly got the first 14 characters, you'd have to brute force in the billions of attempts here. If you even more sadly did just hex characters (16^7) you're down to ~250M.

However you cut it, someone had to hit up the reset API a bunch of times even in the worst case. Regardless of the entropy and key length used, if you're going to allow that many attempts, someone will get in.

That and shame on anyone for assuming a basic math lib rand() function creates security grade entropy.