My guess is that this is just for some sort of email verification system, where 99% of the users won't have the knowledge and/or patience to break your code, and the few that do won't matter because it's easier to get a new bogus email account than break the code. In this case, a one-way digest will probably work fine (I'd use MD5-hex, trimmed to whatever length is necessary), and if you're concerned that this will make things too easy, just store an (expiration) timestamp in your database as well as user name and encrypt on that too. Then if someone fails more than a few times when "clicking" the link, auto-ban his IP.