[Seth Goodman]
When verifying, you have to compare the hash in
a case insensitive manner. This actually reduces
the strength of the hash since in a case-insensitive
comparison, A=a, so we're not really even getting
the full 24-bits of hash that we wanted.
Case-insensitivity makes each BASE64 character worth ~5.25 bits, so a
4-character case-insensitive base64 hash gives ~21 bits entropy. I don't
think a spammer is going to try a million possibilities (average) per
message to get spam through, so that's probably enough.
Using four-digit BASE32 encodings instead gives 20 bits of entropy, and
doesn't have the problem with non-alphanumeric characters. So that would
be my suggestion. After all, what's the difference between a half
million and a million tries?
-ryan-