You could also implement some kind of fake word-generation using common syllables, or word-combining (easier). Word combining is easy enough to do and will get you N^2 or N^3 options.
Unlikely to run out for a while due to good faith usage, but it would be pretty trivial to exhaust the word pool with an attack. Currently, it doesn't even check for dups - successive requests for the same URL produced different code words.
I'd think that's actually by design. If entering a duplicate URL forced it to reset the expiration, for example, you could effectively have a script that just kept submitting the URL and make a permanent link to whatever site you were targeting. A captcha could fix that (perhaps some kind of check for number of times a URL was re-submitted, and if too many, start doing CAPTCHA). Or a maximum time-period for a link to be active including refreshes (say something like 48-96 hours).
But yes, I imagine the word-pool can get exhausted fairly quickly under an attack.
I think that the maximal renewal time should be proportional to the expiration time.
If, for example, the original expiration time is 5 minute, during the first 5 minutes any new resubmission of the URL gets the same address, and the time is extended to 5 minutes. After these 5 minutes, the address is still available if it life was extended, but any new resubmission get another address.
In this way the shortcut is active between 5 and 10 minutes, and at any time there are at most two shortcuts for each original URL (for each expiration interval).
