I'm not talking about signing my microsoft update cert with md5() here.
By all means, I do encourage you to get a valid token for the next 20 minutes, find a collision attack and get a secure token that will work for another timestamp "sometime in the future" (without passing the captcha!) on the system I'm building..
Need small output? Truncate the output of SHA-256. What "easy to compute" means? Performance? Use BLAKE2. Code complexity? sha256() is only 3 letters more than md5() (you're probably not writing your own implementation).
Asking other people (especially, not professional cryptographers) to try to break your system which knowingly uses insecure primitives is an awful way to evaluate system security.
