[RFC] Raising PBKDF2 iterations, password strength and StatiCrypt security model about staticrypt HOT 3 CLOSED

Wonderful information, thank you for taking the time to write this up, great job.

Going to take me some time for my old brain to marinate on this, but going to study every word in class next week,

from staticrypt.

More profiling on the time it takes to compute PBKDF2 on my laptop with a decent CPU (Ryzen 7 4750U).

Using Crypto-JS on the decrypt page and averaging two runs for each (for backward compatibility reason, we still do 1k iterations based on SHA1 then Xk iterations based on SHA256):

• 1k + 14k: 323ms (88ms + 235ms)
• 1k + 20k: 399ms (85ms + 314ms)
• 1k + 50k: 859ms (90ms + 769ms)
• 1k + 100k: 1.51s (86ms + 1.42s)

Testing with WebCrypto on Bitwarden help page (which is actually doing more than just computing PBKDF2):

• 100k: 40ms
• 200k: 74ms
• 600k: 160ms
• 1M: 230ms

So WebCrypto is indeed much faster. I think it'd be good for the encrypted page to be accessible even on low end machines. Bitwarden places the bar at 600k or 160ms on my computer. That would be just a few thousands iterations with Crypto-JS - I think we can stretch things a bit and go to 15k total. That would be ~320ms on my laptop, if we assume a low end one would be 4 times slower that's 1.2s to decrypt. Not great, but not inaccessible, plus if you use the "Remember-me" feature you only need to compute it once. And it still adds an order of magnitude to the brute-forcing difficulty, roughly equivalent to adding a random digit to the password.

This trade-off is made more acceptable by the next step: moving to WebCrypto asap. This will allow to raise PBKDF2 to 600k iterations. Thanks to the way the cryptoEngine is abstracted and PR #139, it will be possible to push WebCrypto to 2.x as an optional parameter - once done, we can display a warning like WARNING: if you're opening the file on HTTPS or as a local file, we recommend you use the more secure '-e|--engine webcrypto' option. This will become the default in the next major release. to nudge people towards it.

So my current plan is to:

• increase iteration count to 15k using crypto-js
• add the option to switch to WebCrypto with 600k iterations
• make WebCrypto the default in the next major release (breaking change for people accessing the file on http)

from staticrypt.

I've just released 1.4.3 increasing v1 iteration count to 15k - with this, all proposed changes outlined here should be complete.

I'm now closing that issue. Thank you for reading or participating in the reflection!

from staticrypt.