Is this method of 32 char hash generation secure enough for online-based attacks?

A fellow developer and I have been having a discussion about how vulnerable a few different methods of developing a hash are, and I’ve come here to see if smarter people than I (us?) can shed some light.

In PHP, I feel the below is secure ENOUGH to generate as 32 character value that could not be reasonably broken via online attack. There are some other mitigating circumstances (such as in our specific case it would also require the attacker to already have some compromised credentials), but I’d like to just look at the "attackability" of the hash.

str_shuffle(MD5(microtime())) 

The suggested more secure way of generating a 32 character hash is:

bin2hex(random_bytes(16)) 

I acknowledge the first hash generation method is not ABSOLUTELY SECURE, but for an online attack I think being able to guess the microtime (or try a low number of guesses), and know the MD5 was shuffled and/or find a vulnerability in MT which str_shuffle is based on is so low as to make it practically secure.

But I would love to hear why I’m a fool. Seriously.

EDIT — This is being used as a password reset token, and does not have an expiry (although it is cleared once used, and is only set when requested).