I am using the following code in my code to send a password reset token to a user.
$token = md5($user_id . time());
Why this is considered as a bad approach being cited as it has a weak entropy? The above code would generate a scary-looking 32 bit token that an attacker cannot decipher at all.
Suppose md5 reverse engineering is not possible (Although it is).
My question is why this is a bad approach? How do I say it has a weak entropy? Is there a way I can calculate its entropy?
How do I say it has a weak entropy?
Your function is deterministic: it produces same result for a given user id at a given time. So if both variables are known the entropy would be zero.
My question is why this is a bad approach?
So if I know a particular user id e.g. 123456 then all I need to do is:
$user_id = 123456;
$request_time = 1726476087;
for ($time = $request_time - 5; $time <= $request_time + 5; $time++) {
$token = md5($user_id . $time);
send_request("reset.php?token=" . $token);
}
The brute force approach could be also used for arbitrary user ids with some improvements e.g. calculate the exact different between the clocks and estimate the number of users in the system before hand.