The author tries to trick you into believing it is secure by including a salt. However the resulting key space of the "hash" gives you the same security as a 5-6 character alphanumeric password. A motivated attacker could enumerate all possibilities in a few hours.
Why not the same approach here? if you try to brute force a password reset, you lock out further attempts for a few minutes.
you don't need to lock out the entire account.
For my own products I do something a little different. Instead, when I create a record I generate a random number (with Ruby's SecureRandom module) and store the base32 encoding in the database. With the universe set at 1bil, this reliably generates a random 6 character string that I can safely show to the customer.
Edit: base62, not base82
Are you sure about that? You might want to consider a smaller alphabet, with vowels and ambiguous letters/numerals (0/O, 1/l/I) omitted. That has two advantages: you won't accidentally generate an identifier containing meaningful words (notably profanity), and the identifiers become easier to unambiguously transcribe and interpret. And you'll still reliably get a 6-character identifier as long as you have at least 32 symbols to use.
This sounds extremely over-engineered though. You have to have a database of all of the IDs to keep track of which ones are valid, right? If so, you just randomly generate the IDs rather than serializing + encrypting. There is no point in trying to hide information in the ID when it's essentially just a primary key into a database anyway.
>> A true cryptographic hash cannot be decrypted. However, to keep things simple the word hash is used loosely to refer to the random set of characters that is generated -- like a YouTube hash.
-  https://github.com/dylang/shortid
var numbers = [1, 2, 3, 4, 5];
var encoded = btoa(''+numbers).replace(/=/g, '');
var decoded = atob(encoded).split(',').map(Number);