Up to now this is all just conjecture. Ruud has not revealed what exactly he means by tokenize. The vars could very well remain as plain text.
Passwords and text strings could still be ripped without the need for even a de-tokeenizer.
If the pre-tokenizer in the current version is any indication, a few simple tests would determine if var length affects performance. From my recollection of converstions on this topic, var length still affects performance.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
