PBKDF2 Iterations: When is Enough, Enough?

TL;DR

After around 307,200 iterations (or 1 second of computation time on a typical modern computer) with PBKDF2-HMAC-SHA256 using a strong salt, the security gains from adding more iterations become very small. Focusing on long, random salts and key lengths is more important than endlessly increasing iteration counts.

Understanding PBKDF2

PBKDF2 (Password-Based Key Derivation Function 2) is used to turn a password into a secure key. It does this by repeatedly applying a hash function to the password, along with a random salt. The number of times it repeats the hashing process is called the ‘iteration count’. More iterations make it harder for attackers to crack the password using brute-force or dictionary attacks.

Why Iterations Matter

1. Slows Down Attackers: Each iteration takes time. A high iteration count forces an attacker to spend a significant amount of computational resources and time trying every possible password.
2. Resists Hardware Advances: As computers get faster, attackers can try more passwords per second. Increasing iterations keeps the computation time roughly constant.

The Point of Diminishing Returns

There’s a limit to how much security you gain from increasing iterations. After a certain point, adding more iterations provides very little extra protection while significantly slowing down legitimate password verification.

How Many Iterations Should You Use?

1. Target Computation Time: A good rule of thumb is to aim for 1 second of computation time on the hardware you expect your users to have. This means an attacker would need at least one second per attempt, making brute-force attacks impractical.
2. Modern Hardware Baseline: On a typical modern computer (as of late 2023/early 2024), this equates to roughly 307,200 iterations for PBKDF2-HMAC-SHA256. This is based on the assumption that SHA256 hashing takes approximately 10 milliseconds on such hardware.
3. Example using OpenSSL: You can specify the iteration count when generating a key.

   openssl pkcs12 -scrypt -in your_password_file.txt -out output.p12 -nodes -iter 307200

4. Salt is Crucial: A strong, random salt (at least 16 bytes) is far more important than a high iteration count. Without a good salt, attackers can use precomputed tables (rainbow tables) to crack passwords quickly.

   openssl rand -base64 32

   This command generates a 32-byte random salt in base64 encoding.

5. Key Length: Use a key length appropriate for the encryption algorithm you’re using (e.g., 128, 192, or 256 bits).

Beyond Iterations

• Argon2: Consider using Argon2 instead of PBKDF2. Argon2 is a more modern key derivation function that’s designed to be resistant to GPU and ASIC attacks. It also offers better memory hardness, making it even harder for attackers to crack passwords.
• Password Strength Policies: Enforce strong password policies (minimum length, complexity requirements) to encourage users to choose secure passwords.
• Regular Re-hashing: Periodically re-hash passwords with a new salt and increased iteration count as hardware improves.