PBKDF2 default iteration rounds #2958
Description
How was 10K chosen as the default number of iteration rounds? Seems rather low. Is there some utility to benchmark the speed of the current implementation? If so, that would provide a measurable way to start discussing the iteration count needed.
Does computing the iteration rounds stop the world or can it complete in it's own thread? If so, that changes how long we can spend computing rounds significantly.
https://datatracker.ietf.org/doc/html/rfc8018#section-4.2 which was published in 2017 and is still current recommends anywhere between 1,000 and 10,000,000.
Choosing a reasonable value for the iteration count depends on
environment and circumstances, and varies from application to
application. This document follows the recommendations made in FIPS
Special Publication 800-132 [NISTSP132], which says
The iteration count shall be selected as large as possible, as
long as the time required to generate the key using the entered
password is acceptable for the users. [...] A minimum iteration
count of 1,000 is recommended. For especially critical keys, or
for very powerful systems or systems where user-perceived
performance is not critical, an iteration count of 10,000,000 may
be appropriate.
OWASP recommends 600,000 iterations or more when HMAC-SHA-256 is used.
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
FreeBSD's GELI disk encryption system determines that amount of iterations algorithmically when the operating system is installed with that option.