$token = md5($user_id . time());
The password reset token is supposed to be secret. However, it is derived from values that are not secret, or at least not hard to guess.
The attack scenario is as follows:
- an attacker requests a password reset for user with id 123.
- they calculate the password reset token, by doing
$token = md5($user_id . time())
themselves.
- they navigate to the password reset page and reset the password of user 123.
The problem is with step 2, where the attacker can calculate the password reset token themselves. If the reset token was random, or contained some secret information, this would not be possible.
Perhaps user IDs are random and not public, but can be presumed to be between 0 and 232. In that case, the attacker has to perform at most 232 password reset tokens before they can reset the password. In this case, the entropy can be said to be 32 bits.
In cases like this it is not really useful to think about entropy at all. Just think about whether an attacker can calculate the reset token themselves with the information they have.