I have already spoken about Password Based Key Derivation Functions before on this blog and I have discussed secure password storage with PBKDF2 at length in my Pluralsight course, Practical Cryptography in .NET, but in this post I want to expand this a bit and talk about picking suitable iteration lengths for the PBKDF2 key derivation process.
Choosing a good number of iterations for PBKDF2
A reader of this blog, Geoff Hirst, gave me a heads up to an episode of the Security Now podcast and specifically episode 512 where the recent security breach at LastPass was discussed. Luckily no one’s data was actually at risk due to their security policies and good use of encryption, but the podcast talked about something that was interesting and that was, what should you set your PBKDF2 iteration count too?
I must admit I have always used round numbers like 50,000 or 100,000 but the podcast says this isn’t a good idea and you should use 5 figure number, beginning with a number larger than 2, but a random number which isn’t rounded up to specific whole number, as in 50,000 or 100,000.
By making this a random number that you do not disclose you are making an attackers life much harder as they have to get the iteration count correct. Of course you shouldn’t rely on this as a main piece of security information, but anything that can make an attackers life a little harder has to be a good thing.
If you are dealing with a system that has multiple users, why not randomly generate different iteration counts per user. Then if one user does get compromised and their password recovered, your other users are still safe as the attacker would still need to guess their number of iterations.