Measuring PBKDF strength

Graham Steel
August 14, 2017

Password-based key derivation functions (PBKDFs) are used in crypto for two reasons: to store passwords in a secure way, and to derive keys for use in other bits of crypto. We've written before about how they work and what parameters to use.

In our Analyzer tool for auditing application crypto, we have to solve the problem the other way round - how good are the parameters selected by a particular application? Just saying they are "not best practice" is not satisfactory for our users - they want to know if this is a critical issue needing an immediate fix or something that can wait until the next release.

To solve this problem, we've added a rule to our Analyzer that evaluates the strength of a key derived from a password in terms of how long it would take an attacker to crack using the popular open-source password recovery tool Hashcat. We do this by taking the Hashcat benchmarks for various different hash functions, adding the information on what PBKDF, hash and iteration count is actually used in the application obtained by our Tracer, and an evaluation of roughly where the password used would appear in a typical cracking wordlist derived from ZXCVBN. We assume the attacker has the salt value, if indeed one is used (if the salt is absent or repeated with different passwords, other analysis rules will spot this). The result, after a little arithmetic, is an order of magnitude estimate: would an attacker with access to one GPU need one second, one hour, one week?

Instance data showing a cracking time for a password

We've found that this concrete measure of security helps our users a lot in prioritising things to fix. Often, users are surprised by just how fast modern cracking techniques are.

To find other cryptographic flaws in your applications try our Analyzer software.