Comment Re:It is "a random hash" (Score 1) 251
The idea is that the user set his password via (presumably) secure https. The purpose of the random hash is so that you provide the legitimate email user a transient secret that must be used *in conjunction* with the password they had chosen (or some session cookie sent via https to avoid making them log in twice when clicking on the email).
So here the password is to authenticate that the original person that accesses the site, the hash authenticates a valid email account. Both together are required to verify the account is valid. This way someone intercepting SMTP doesn't get access to hijack account and someone without a valid email can't get an account activated.