Determining the Optimal Number of PBKDF2 Iterations for Technology Evolution

When it comes to using PBKDF2 to derive passwords, the question of what constitutes a “sufficient” iteration count often arises. However, there is no definitive answer to this question as user-chosen passwords can always be weak, regardless of coaching efforts. The goal is to set the iteration count to the highest value that can still be tolerated.

It’s important to note that increasing the iteration count also increases the operational cost. Therefore, the count should be set to a value that allows your machine to process passwords in a timely manner. This decision depends on factors such as hardware capabilities, expected peak load, and user tolerance to delays. It’s worth mentioning that higher iteration counts can make your system more vulnerable to denial-of-service attacks.

Contrary to popular belief, the iteration count should not be increased regularly to match the average technology level. Instead, it should be increased when it can be afforded. This depends on the servers you have purchased and are currently using. Therefore, it is advisable to plan for an iteration count increase whenever new hardware is acquired.

Leave a Reply

Your email address will not be published. Required fields are marked *