How long would it take to brute force a 32 character string.
Assuming you have a web page that tells you whether the string is valid, and there is no limit to the number of requests.
I'm using a 32 character string in a password reset link emailed to the user, and I'm wondering what the time difference would be to try all 32 characters vs. trying an 8 character string.
Are we talking minutes, hours, days, months?
To calculate this we would need the number of characters in the set and the number of attempts per second.
If we assume that you have 100000 attempts per second and 64 characters in the set this is how it would look:
64^8 / 100000 / 60 / 60 / 24 = 32 days
64^32 / 100000 / 60 / 60 / 24 = approx. 7.2E47 days