Given the distractions here from tangents and puzzles, I would like offer my response to various user requests about what they could or should do. This is only how I will go about advising people, in up to five steps and stopping as early as possible.
Can you add a word to your pass phrase? It is your primary and most important defence, more so than the hashing function.
If you are still not happy, use Argon2 with default settings. They are secure, matching recommendation 2 of the standards document and should work on almost any device.
If you are still not happy then increase memory a bit. If you raise it by a factor of 4 then reduce iterations by one to keep time reasonable while still having improved security. Don’t bother touching parallelism. The standard setting is fine for most devices and changing it will make little difference either way.
If you are still not happy then increase iterations. Your vault may take quite a while to open. Have some chocolate.
Beware of falling pianos. It could be a bigger risk.
The table data are consistent with the notion that computation time decreases with increasing p, until p reaches a value that causes the memory bandwidth to saturate, which makes sense (at least to me).
Interestingly, the table suggests that the maximum sustainable bandwidth is approximately 5.4–5.8 GB/s, while the i7-4500 specs quote a value of 25.6 GB/s as the Max Memory Bandwidth for this CPU.
By the way, I noticed I can get about the same entropy as a 5-word randomly generated passphrase using only 11 randomly generated characters. I’m sure anyone could easily remember a password of 11 characters, and it’s easy to type as well. That is if you believe about 65 bits of entropy is sufficient, which is the consensus here.
I don’t know that U9$Z^uHRbc* would be easy to memorize or type.
But 50 bits of entropy should be sufficient if you are not concerned about “steal now, crack later” threats, so you could use a 10-character lowercase alphanumeric password string (e.g., i9c4da3zsu), which at least doesn’t require use of the Shift key. Personally, I still think it would be easier to remember audacious wager endorphin hug, though.
Intel’s maximum assumes pre-fetch is wholly effective. I gather from the papers that Argon2 is designed to negate that. I mentioned earlier the inverse relationship between cycles/byte and memory access as expressed by the authors:
Interesting, though I do not claim to understand it fully. I am going with the observational evidence which supports what they say, and am also happy to defer to the competition judges and the IETF
Except speed. Go for it. I expect you will be able to lower iterations safely to try to maintain some speed. You may want to note my earlier comment that the primary recommendation of RFC 9106 is 2 GiB with a single iteration, hence my rough approximation that you can reduce iterations by 1 for each quadrupling of m.
Me, I can afford more m too, but I never reached the chocolate.
The default recommendation is more than safe enough, exactly as Bitwarden says.
Regarding your comment about an 11 ch password, for any human remembering 5 random words is far easier than remembering 11 random characters, and adding a word adds more entropy than making the string a very non-memorable 13 characters, so what are you going to do? Everyone has their own consensus. Mine is much higher than 65.
