top | item 34500853

(no title)

adament | 3 years ago

I am not a cryptographer but to my understanding, the number of PBKDF iterations is really only of concern for weak (low-entropy) passwords. If you know that your password has high entropy (>128 bit), for example because you generated it randomly uniformly from at least 2^128 possible outcomes[1], you are safe even if you used only 1 iteration. PBKDF is all about password strengthening, so if you are making changes for yourself the most effective change is just to use a secure password and stop worrying about key derivation functions.

[1] 28 characters in a single case, 23 characters if both upper and lower case are used, 22 characters if you include numbers, 12 words if you use a word list of 2000 words and sample uniformly

discuss

e12e|3 years ago

> If you know that your password has high entropy (>128 bit)

I don't think that is practical for most users - 12 words (or 10 taken from a 10k list) - or 22 random alphanumeric characters - is hard to remember - and long enough that they are difficult to type correctly. 70 bits might be a more sensible goal - but still long. (6/7 words, 12 characters from a set of 62).

This is the "trust anchor", so something the user needs to remember and type in - from what I've seen - remembering/representing and inputting 128 random bits is tricky.

And with modest stretching and a salt, probably overkill anyway.

adament|3 years ago

I think your point is valid and important, especially considering the average user. However in my experience it worked surprisingly well with a long word based master password. Since I only needed to remember 1 password that I then used daily it was not that difficult. And typing it was quick since it was all lowercase which most keyboards are optimized for. However the issue came when I started using my password vault on my phone and tablet. I was way too slow at typing on them. I now have a 22 character password which takes the same time for me to type on a keyboard, maybe a bit slower, but is faster on my phone though still annoyingly slow.

As for 70 bits password, it might be enough, but you need a lot of iterations (2^58) if you want to completely make up for the lost security margin. Which will also be unusably slow in practice.