I am using the following code in my code to send a password reset token to a user.
$token = md5($user_id . time());
Why this is considered as a bad approach being cited as it has a weak entropy? The above code would generate a scary-looking 32 bit token that an attacker cannot decipher at all.
Suppose md5 reverse engineering is not possible (Although it is).
My question is why this is a bad approach? How do I say it has a weak entropy? Is there a way I can calculate its entropy?