After a client buys a serial key, he receives an e-mail containing a key. With that token key he can access a page where he can see the serial he wanted. I wonder how I can do this being safe to brute force attacks?
I thought that an idea is to have at least 12 characters long alpha-number sensitive strings. To be faster, in the e-mail they have the string attached to a link ex:
www.foo.com/get_serial.php?token=23As4s74dsFDs412s
To improve security I thought it would be a good idea to have a captcha verification but with logical answers like: "A man has twenty : (fingers)" or something. I need suggestions to make this safe and fast as possible.