Is it not useless to increase iterations in KeePass?



  • So if increasing the number of iterations makes the computation power needed more in a linear way. Wouldn't that be a small increase compared to even a single more character added to your password?

    Even assuming you make your iterations take several seconds, that would only be as much as somewhere around 3 added characters, which isn't considered much.

    In that case, wouldn't increasing the number of iterations be kinda pointless and not increase the difficulty that much when it comes to guessing the password (so like, you still can't get away with passwords that a dictionary can guess and still have to use better passwords, just like when you didn't use a high number of iterations)?



  • I totally agree that strong password with weak hashing is better than weak password with strong hashing. Assuming you're using a random password over all the printable ASCIIs, then adding a char increases crack time ~100x, whereas doubling the work factor only doubles the crack time.

    The point with all password hashing is that it's something that we, software designers, can do to give our users a bit more protection without requiring them to change their behaviour. So why not? Is it gonna totally protect users who choose terrible passwords? No, of course not, but at least it's something.


    As an aside, your intuition is right that password hashing based on a linear time cost (such as PBKDF2) is losing ground to advances in CPU / GPU power. Newer password hashing algorithms like bcrypt or argon2 are based on functions that are both time-hard and memory-hard; requiring the hash to use a large amount of RAM, say 1 mb per guess, in addition to say a 1/2 second. That severely limits how many password guesses you can be cracking in parallel before you run out of RAM, especially since GPUs or programmable hardware like FPGAs typically have a relatively small amount of RAM.

    And indeed, KeePass seems to be using argon2, and lets you set both the time-hard and memory-hard workfactor. Still not an excuse to use a terrible password, but everything helps, right?

    Keepass password hashing settings


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2