Brute force always works. Period.

*Eventually.

^

Not always

Brute force rarely works.

Why ?
Well starting from my own work, if you try more than 6 times your account is blocked and it can be unlocked only by email that has a 32 characters long string that is mandatory in order to make reset page behave as it is.
So unless your 6th try is correct, you are going to have a bad time my friend.

@nofckingcluedev You arent blocking access to login by minutes, just by that email???

Your system is actually ripe for brute forcing as someone can easily make a brute force script which simply works with checking email and taking that code and entering it when it needs to and then continue on brute forcing.

You really should force waits for around 30 minutes or so, it will not destroy brute forcing (because they cannot be stopped, just slowed down) but it will not make it feasible to do on your system.

Ain't nobody got time for that

@arekxv But if you don't have access to that email account....

@linuxxx From what he explained it seems that this is an user email.

@arekxv if you try mote than the limit, everyone even with the real password, is locked out.
The only way to access your account is by using a unique reset link that was sent to the users email account, this email is given by the user when he creates his account.
An unique string, is created for every account and in order to make that link work, you need to have correct string+email+username+password.

Not for NP class of problems.