I was emailed a reset key. It was 40 hex letters, so 20 bytes which is 160 bits. I thought to myself, why 160 bits? Maybe it's a 128 (key) + 32 bit (checksum or id or something). Maybe something else. I am sure it was done for a reason but why? (PS: The person on the other end seems to not want to say why or maybe doesn't know. So asking elsewhere hasn't worked. I felt silly.)
I am sure script is written in PHP as the rest of the site is.
ha, ok, so it might be a SHA-1. But what would be hashed? I reset my password twice this evening, i am not sure how long apart but they were the same keys. I'll try tomorrow. Maybe its a datestamp + user id i wonder...