

Simple auto-login from emails using your favorite key-value store - birken
http://danbirken.com/usability/2015/01/07/simple-automatic-login-from-emails.html

======
Someone1234
You should be using secure random numbers (os.urandom()), not random numbers.
The problem with what you're currently doing is that if an attacker generates
enough of the sequence they can guess future members also (which could be a
different user).

Also your code has a bug: What if generate_random_string returns the same
result twice? You don't check for that.

A 20 digit long code with a 26 digit set likely IS secure enough. But why not
just add 0-9 for funzies? It won't break compatibility, and expands the scope
quite nicely.

