In all honesty, I don't see how an anonymous post is more lacking in relevance than a veiled argument. I actually wrote the above anonymous post, sorry, I hadn't realised I wasn't logged in.

I really don't see how you think that this compromises the security of the application in question.

A person applies for access and is sent a code by post. They can only do anything with that code if they are the owner of the email address which the request was made with and they received the code in the post.

There is basically no possibility of anyone guessing both pieces of information; it's not even any more plausible that someone having taken control of the email address could then guess the correct code. Note that it's not _any_ valid code, it's _that_ valid code that is required.

After that, they can associate a login token with their account to use it to log in. Worst case, if someone stole my email address and intercepted my post, they could attach their login to my account until I complained of all these injustices.

So who cares?

The point is that the supposed-to-be secure system whose identity I am legally bound not to reveal, is made more vulnerable now that its code can be cracked, albeit somewhere else. There may be repercussions from that.

One world, one people

My Algorithm::CouponCode module generates a checkdigit using a simple hash function. The function 'hashes' 45 bits of data to produce a 5 bit checksum.

I cannot conceive of a situation where a 5 bit checksum would be considered a security device. At most there are 32 possible values (actually only 31 in my case) so if someone wished to generate codes which appeared valid to your "supposed-to-be secure system" they could do a brute force attempt of every possible checkdigit value in considerably less time than it would take them to download my code, let alone read it.

The situation seems analogous to the credit card industry. A credit card number includes a check digit but that doesn't mean you can make up a number, calculate a valid check digit and then use it to buy stuff online - a card number can only be used if some bank somewhere looks it up in their database and says "yes, we will honour that transaction".