That’s partially why I added “…at the very least”. The actual strength of the key depends on the number of possible combinations the attacker has to try.
If you ask me “What is the strength of a 32 character password?” My first question back is: what’s a character? Actually it get’s complicated, because it depends on encoding such as US-ASCII, Ansi (in various variations) Unicode (in various variations etc). If we say US-ASCII, that’s 95 possibilities per character. That’s 95^32 number of combinations, equal to 210 bits and change.
However, in your case, the question was “What is the strength of a 32 character hexadecimal string as a password”. Here I now assume that we *know* that it’s a hexadecimal string, and that it’s exactly 32 characters, and that we even know if you’re using upper or lower case A-F. In this case, the strength is exactly 128 bits. If we don’t know if you’re using upper or lowercase, it get’s stronger. If we don’t know if you are using exactly 32 characters, it get’s stronger. How much I leave as an exercise for the reader ;-)
The way AxCrypt works with the password is through a complicated process that adds time to what an attacker has to do in order to try a given password, and also ensures that regardless of if you enter 10 characters or a thousand, we still use them all as best we can and input exactly 128 or 256 bits to the underlying encryption algorithm.
You might want to Google “password based key derivation” for more info. Wikipedia is a good place to start to read about the function AxCrypt uses: https://en.wikipedia.org/wiki/PBKDF2 . AxCrypt currently uses PBKDF2-HMAC-SHA-512 with a 1000 iterations. This is not extremely high, since we then use another iterative keywrap for the actual file key.