Hash Is Not Entropy

A security token is derived by running a cryptographic hash over a low-entropy value (a timestamp, a counter, a username, an autoincrement primary key). The cryptographic strength of the hash function is treated as compensating for the predictability of the input. It does not. The hash is a deterministic function; the output's entropy is bounded by the input's entropy, regardless of how the bits are spread across the digest.