The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.
This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
It also lists some solutions.
It is more secure to use a cryptographically secure string, as explained here: