Should I add one more (or two) Dicewords?

@benfdc

When Reinhold was making his recommendations, there was nothing like PKBDF2, and was working on the assumption that passwords could be tested as quickly as AES keys. I had (erroneously) followed his advice in that first article.

What we have learned since then are the kinds of cracking speeds that are actually achieved. My initial advice was based on extremely pessimistic (from the defenders point of view) guesses about attackers' capabilities. Now that John the Ripper and hashcat actually take on 1Password, we have far better estimates of cracking speed, and so can put things in terms of "how long to crack on such and such system"

This, then, leads to @hawkmoth's excellent point that you need to consider your threats. Is someone going to spend 10 years with a high-end PC trying to crack your Master Password? What resources is an attacker willing to burn to get your Master Password? Only when you've considered that can you make a choice about how strong your Master Password should be.

Cheers, -j

You (@benfdc) are probably right that specific length recommendations should be updated in light of what we now know of attackers' capabilities and of individuals' security requirement. I'm wondering whether there should be a regularly updated table of crack times. Seems like a good idea.

I like trying to cite original sources. A lot of people today are calling this scheme "XKCD Passwords", but I would really like people to recognize the history. (Also that article of mind was posted before the XKCD comic.) I don't like "revising history" putting in a bunch of "Update: ..." things isn't great either. But sometimes exceptions need to be made.

If I were to posit that 7,776 rounds of PBKDF2 equals one Diceware word, would you consider my proposition to be precisely correct, at least in one sense, or would I be oversimplifying matters?

You would be entirely (but interestingly) wrong. Adding PBKDF2 rounds only adds to time needed to crack. But adding diceware worrds multiplies the time to crack.

Going from 10000 PBKDF2 rounds to 17776 rounds doesn't even double the cracking time. Going from three diceware words to four diceware words multiplies the cracking time by 7776.

So when we are talking about cracking time, adding more to the passprhase multiplies the crack time, while PBKDF2 only adds to the crack time. When we think about these things in terms of bits (which are on a logarithmic scale) the each diceware word adds about 13 bits. But in terms of bits, each additional PBKDF2 round adds fewer and fewer. Going from one thousand rounds to ten thousand rounds is like adding about 3.3 bits. But going from ten thousand to nineteen thousand (also adding nine thousand rounds) adds less than a bit.

So there is no general comparison. If you have few (or no) PBKDF2 rounds, then adding rounds helps a lot. But once you've got plenty, adding the same number of rounds doesn't do much good. If you start with ten thousand rounds, then to get the same effect as you would by adding a single diceware word, you would need to have 7776 × 10000 rounds total. That's more than 77 million.

And I'm going to say this another way as well. Adding diceware words dramatically (exponentially) increases the number of guess an attacker needs to make. Adding PBKDF2 rounds adds linearly to the time needed for each guess.

Are OpenPGP private keys protected with PBKDF2 or something of that ilk?

Yep. Indeed, PBKDF2 is an out-growth of non-open PGP. I believe that passphrases generated today with PGP will use 2000 rounds of PBKDF2. But this is not well documented and navigating the source is tough if haven't been following it all along. And you should all be proud of me that I didn't take this opportunity to launch into a discussion of the history of PGP versions, patents, and export controls.

Cheers,

-j

–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com

OK. Now I get the question!

Yes, going from one PBKDF2 iteration to 7776 iterations is similar to, but not precisely the same as, adding one diceware word to a password. It's still not "identical to" because it may be off by a constant factor that depends on the ratio of PBKDF2 single round time to single guess time. For example, there might be overhead in a cracker for setting up a new guess that isn't there when just running through PBKDF2 iterations. So I will give you a "yes" if we drop the "precisely the same" part of the question.

The difference is because the PBKDF2 stuff is about the time it takes to make a single guess, while the password strength is about the number of guesses needed. Both of these factor into total crack time, but they are still about different, difficult to compare, things.

And (if you will all forgive the repetition) going from 7776 PBKDF2 rounds to twice that many, 15552, makes a much much smaller difference than the initial move from 1 to 7776. That is, adding one diceware word is like multiplying the number of PBKDF2 iterations by 7776.

The GPU columns in the table from my article on John the Ripper is vague. At the time that it was written there were no GPU implementations. It was based on an off hand comment by Dhiru in his announcement of the the 1Password module for John the Ripper

GPU support is [trivial] to implement and will be done soon (expected

speedup > 100x).

There was no implication about number of GPUs. So in constructing my table, I just picked a 200 time speedup. Note that this was a speedup against a CPU based system that had 8 effective CPUs; so at every point, I was making pessimistic (from the defender's point of view) estimations.

John the Ripper also has a module for the 1Password 4 Cloud Keychain Format, but I haven't actually tested that. Solar Designer says it is really, really slow (as I would expect). hashcat has yet to develop a module for the new format, but as hashcat tends to be faster than JtR at most cracking, I'm waiting for that to really give a guess of speed.

I suppose, I (or someone) should just put together a calculator for these sorts of things, using number of GPUs, number of CPUs, power of each, particular cracking tool used, PBKDF2 rounds, keychain format, and so on. I sort of have parts of those in the spreadsheet that I used to create those tables, but that is most certainly not fit for public consumption.

What I'd really like to see are more benchmarks. But it seems that while both the JtR and hashcat communities are excited about being able to target 1Password, there hasn't actually been a lot of actual cracking attempts. This is a good thing (it means that there haven't been lots of cases of 1Password data being captured). But that good news has a stormy lining of a lack of any real world data on how these stand up. We really are stuck with extrapolating from a very very small handful of data points.

So really, all of our calculations are very rough "back of the envelope" sort of things. The data that we have is rough. The assumption of linear extrapolation of crack time is reasonable, but hardly precise. These are really rough calculations based on only a few real data points.

I try to compensate for that by always erring in favor of the attacker when creating those tables. I round numbers in a way that make for a stronger attacker. So where I measured 4200 guesses per second, I created the table using 5000. Similarly, I reported the time to go through half of the possible passwords.

And now that I've posted that, I think of a simpler example:

Suppose you've got a password that is all lowercase letters. The effect of "append or prepend a random lowercase letter" will increase the possibilities by 26 (not 52). But the effect of "append or prepend a digit" will add 20 possibilities (not 10).

@hawkmoth++

I am thankful every day that Jeff is on our side. :)