# How to guess 8 character long reset token

• Reset token contains lower case a-z, 0-9 number, there will be at maximum 5 number, at minimum there will be 0 number. It is randomly generated. How many possiblities do we have? How much time does this take to brute force? Example: x8h1w751, j6p0u32t, 7a5yh8x1,kbyjawkm,zny5clm.

• In general, to figure out how many order-sensitive combinations of possibilities (permutations) there are for a string of N values, you multiply the number of possible values for each of the N positions together.

For 5 of the digits, there are 36 possibilities each (letter or number); for the other 3 digits, there are 26 possibilities each (can't have more than five numbers so they're all letters). 36*36*36*36*36*26*26*26 = (36^5)(26^3) = 1,062,753,509,376 (1.06 trillion).

That's a lot, but it's plausibly within possibility to brute-force locally if checking each value doesn't take too long. If it's just simple string comparisons, a modern CPU core can probably do about a billion per second, so it'd take ~1000 seconds (16 minutes 40 seconds) divided by the number of CPU cores (this is a very rough estimate; depending on your system it could easily be a few times that long, or significantly less time).

Of course, it's not going to just be a simple string comparison. Even if it's a local app, you presumably can't do a simple string comparison or else you could just look up what string it's comparing against; instead, it will be a hash of some sort (which significantly increases the amount of computation per candidate, even if it's a fast hash). Still possible to brute-force, unless it's a deliberately slow hash, but it might take days or weeks.

Note that a GPU or other highly-parallel processor could speed up any of the local attacks by an enormous amount. For example, high-end commodity graphics cards can compute tens of billions of hashes per second, which is faster than a many CPUs can go just checking unhashed values!

If it's on a server you're connecting to remotely, even over a LAN but especially over the Internet, it'll take much longer. Unless the server can handle a ton of traffic and you have a lot of machines or very high bandwidth, you might not be able to try more than roughly a thousand candidates per second; at that rate, it'll take a gigasecond, which is about 31.7 years. That's assuming the server isn't using a slow hash, which might be tuned such that it can only handle 100 requests a second, so multiple the previous time by 10.

Of course, all of this is moot in reality, since the software (server or whatever) shouldn't allow anywhere near that many attempts. There's really no good reason to allow more than, like, 3. If you can't manage to copy-paste a string correctly after three tries, you can get a new reset token. Guessing correctly on a 3-in-a-trillion chance is, well, as unlikely as it sounds, and then you have to wait a while as a new token is created... and if anybody sees that many attempts to get tokens, they'll block that feature from the requesting clients (via IP block or CAPTCHA or whatever).

2

2

2

2

2

2

2

2