Comment Re:How stupid could someone be? (Score 1) 111
The real solution is to NOT use a generation algorithm for keys. Generate strings, then approve only those you actually sell and distribute.
Hash collisions will eventually happen. I believe Windows XP suffered from it where the sheer number of installations has meant that there was a good chance a keygen will also make a valid key that's already been issued. Sure you are blocking a good chunk of them at the beginning, but eventually a keygen will stumble upon a valid key that you DID issue.
I believe it also happened to a widely pirated game - the end result was legitimate users were getting locked out because the publisher created a huge list of keys (and the server checked it was issued!), and the keygen created keys on the list as well, so pirates could play the game, while the key was sitting in the box on the shelf at Best Buy. User comes around and boom, key is used.
To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.
This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.
On update you validate both the key, and the installation ID.
In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.
The problem with that is users hate calling for support, and how long are you going to maintain it?
I mean, great, you do this. Now you'll have to handle calls from people calling about a 10 year old version they need moved to a new PC. And forget about offering in-system deregistration because most users, by the time they install it, the old installation is gone - either hard drive died, got corrupted, etc., and there is no way to deregister the key.
So either you have to deal with users who call to move their 10 year old copy of software (no longer supported) to new PCs (and hell no they will not pay to upgrade) even though it's no longer in production, supported, and bugfixes stopped 5 years ago, or you will end up with a really pissed off user.
You also have to remember we're talking about $20 pieces of software. If it was a $500 piece of software then maybe you'll have more diligent users who will tolerate phoning software support, but likely not.
For something like Malwarebyte's product, since it's online only, it's easy to check keys since it will have to get updates always.