Evaluating Master Password Security: How Many Bits Are Enough for Economic Safety?

Ask the Community Password Manager
,
1

I often see discussions about password/passphrase entropy, but relying on entropy alone might not be the best approach.

For the purpose of this discussion, let’s consider randomly generated passphrases using the Diceware method (based on a 7776-word list) as the master password for Bitwarden.

Since everyone has their own threat model, the answer to what constitutes “enough” security is subjective. However, I’m curious about the minimum number of words required to ensure a certain level of “economic” safety.

Thanks to 1Password’s 2018 research (How Strong Should your Account Password be? | 1Password), we now have tools that estimate the cost of cracking a passphrase, which is more practical than just predicting the time required.

A great tool based on this research is the Password Bits passphrase cracking calculator (Passphrase Cracking Calculator - Password Bits).

Bitwarden uses Argon2id as its Key Derivation Function (KDF) with the following default settings (to the best of my knowledge): 64MB memory, 4 threads of parallelism, and 3 iterations. Based on these settings, here are the results:

  • 3-word passphrase:
    • Entropy: 38.8 bits
    • Estimated cost to crack: $7,848 USD
  • 4-word passphrase:
    • Entropy: 51.7 bits
    • Estimated cost to crack: $61,291,152 USD
  • 5-word passphrase:
    • Entropy: 64.6 bits
    • Estimated cost to crack: $476,599,842,792 USD
  • 6-word passphrase:
    • Entropy: 77.5 bits
    • Estimated cost to crack: $3,706,040,377,703,664 USD

Based on these numbers, even if your secrets are worth millions of dollars, a 4-word Diceware-generated passphrase should offer more than enough protection.

However, 1Password’s research is from late 2018, and hardware capabilities have improved since then. To get a more modern perspective, I asked ChatGPT to estimate cracking costs with current hardware. Here are the updated estimates:

  • 3-word passphrase:
    • Entropy: 38.8 bits
    • Cost to crack: $3,152.84–$5,254.73 (high-end GPU vs. ASICs)
  • 4-word passphrase:
    • Entropy: 51.7 bits
    • Cost to crack: $24,516,452.82–$40,860,754.70
  • 5-word passphrase:
    • Entropy: 64.6 bits
    • Cost to crack: $190,639,937,124.68–$317,733,228,541.13
  • 6-word passphrase:
    • Entropy: 77.5 bits
    • Cost to crack: $1,482,416,151,081,473.20–$2,470,693,585,135,789.00

Now, I’m not an expert in cryptography and haven’t done extensive research on current cracking estimates, so I wouldn’t blindly trust these numbers. However, it seems reasonable that even with modern hardware, a 4-word passphrase (again, randomly generated using Diceware) remains secure for most purposes.

Any thoughts on this? Am I missing something? I’d also appreciate any up-to-date links or sources for cracking cost estimates for both “regular” and “hashed” passphrases.

Thanks!

EDIT 11/24/24
ChatGPT estimates (and maths) is wrong, please don’t trust these numbers

1 Like
2

When you asked ChatGPT, did you include the KDF function and parameters in the query information? Did it advise the basis of its estimates?

3

I would not trust ChatGPT on this. I do generally trust the Passwordbits site, but its cost estimates are based in part on data from a 1Password blog that is not fully transparent in its methodology; in addition, the method used to extrapolate from PBKDF2-SHA256 hashing to Argon2id, while not unreasonable, is tied to the hardware used by the blog author (which has not been reported).

The calculations are not that difficult, but the results are dependent on assumptions made. Aaron Toponce has reviewed the cracking speeds available on different types of hardware. Personally, I like the benchmark used by Steve Thomas (sc00bz), which evaluates hash rates achievable by a GPU that costs approximately $1000 USD (high end but not top end) — OWASP recommendations for KDF are based on Steve’s data for throttling cracking speeds to 10,000 hashes/second when one such GPU is used. Thus, one can estimate that an exhaustive search of all possible 4-word passphrases (EFF wordlist) will take almost 12,000 GPU-years. Thus, with a million-dollar investment to acquire 1000 GPUs, the average cracking time would take almost 6 years; bringing the cracking time down to something reasonable (1 month) would require hardware acquisition costs on the order of 140 million dollars.

However, to fully estimate cracking costs, one also needs to take into account the cost of electricity required to run the GPUs nonstop 24/7 for months or years. To estimate the utility costs, one needs to make additional assumptions about the specific hardware used. The fastest available GPU today (Nvidia GeForce RTX 4090) gets 15,000 hashes per second for Bitwarden’s default KDF (600,000 iterations of PBKDF2-SHA256), but draws 450 W of power in so doing. Thus, it can basically crunch 120 million hashes per kW-hour (no matter how many GPUs are used). Therefore, the average amount of electric energy required to crack a random 4-word passphrase is more than 15 million kWh. In the United States, electricity costs are billed at an average rate of $0.14 USD/kWh; therefore, the operating costs for cracking a 4-word passphrase would on average be 2 million dollars.

The total cost is a combination of amortized capital equipment costs and the operating costs (e.g., electrical power), so further assumptions would be required to get a final number. Nonetheless, it is clear that cracking a 4-word passphrase (randomly generated from a list of 7776 words) will require a multimillion dollar investment.

4 Likes
4

I included the KDF function and its parameters, but it involved a lengthy discussion. He was making basic math errors (ChatGPT struggles with exponents), which led to a lot of back-and-forth. At one point, I lost the conversation history. I also tried logging into the free version, but the math issues persisted.

I attempted to replicate the results several times without success.

Now, I’m just looking for estimates on different hardware guesses per second, and I’ll handle the math myself.

I’ve also edited my initial post to reflect that people should be very cautious about trusting the estimates provided.

5

Many thanks for your reply, it was very informative!

I addition to the sources you mentioned (Aaron Toponce and Steve Thomas), I am adding Chick3nman’s Hashcat v6.2.6 benchmark on the Nvidia RTX 4090

With your logical reasoning and the sources available, I tried to start a new discussion with ChatGPT. This time, my goal was to obtain estimates of the cracking speeds of different hardware for various scenarios:

  • plaintext passphrase
  • PBKDF2-SHA256 with 600,000 iterations
  • Argon2id with 64MB memory, 4 threads of parallelism, and 3 iterations.

After some interactions, these are the tables provided:

Table 1: Cracking a Plaintext Passphrase (No Hashing)

Hardware Cracking Speed (Guesses/s) Hardware Cost (USD) Power Consumption (Watts)
Nvidia A100 ~100-110 billion ~$11,000 ~400
Nvidia H100 ~150-170 billion ~$35,000 ~700
Nvidia RTX 4090 ~265 billion ~$1,600 ~450
AMD RX 7900 XTX ~150 billion ~$900 ~355
FPGA (Virtex UltraScale+) ~1-2 billion ~$25,000 ~300
ASIC (Bitmain Antminer S21 Pro) ~300-350 billion ~$5,000 ~3200
ASIC (Custom) ~500 billion+ ~$30,000+ ~6000

Table 2: Cracking a Passphrase with PBKDF2-SHA256 (600,000 Iterations)

Hardware Cracking Speed (Guesses/s) Hardware Cost (USD) Power Consumption (Watts)
Nvidia A100 ~2,500-3,000 ~$11,000 ~400
Nvidia H100 ~3,500-4,000 ~$35,000 ~700
Nvidia RTX 4090 ~2,000-2,500 ~$1,600 ~450
AMD RX 7900 XTX ~1,500-2,000 ~$900 ~355
FPGA (Virtex UltraScale+) ~500-800 ~$25,000 ~300
ASIC (Bitmain Antminer S21 Pro) ~50,000-100,000 ~$5,000 ~3200
ASIC (Custom) ~100,000+ ~$30,000+ ~6000

Table 3: Cracking a Passphrase with Argon2id (64MB Memory, 4 Parallelism, 3 Iterations)

Hardware Cracking Speed (Guesses/s) Hardware Cost (USD) Power Consumption (Watts)
Nvidia A100 ~80-100 ~$11,000 ~400
Nvidia H100 ~100-150 ~$35,000 ~700
Nvidia RTX 4090 ~60-100 ~$1,600 ~450
AMD RX 7900 XTX ~50-80 ~$900 ~355
FPGA (Virtex UltraScale+) ~10-25 ~$25,000 ~300
ASIC (Bitmain Antminer S21 Pro) ~30-50 ~$5,000 ~3200
ASIC (Custom) ~50-100 ~$30,000+ ~6000

Any feedback on the estimates provided? It seems underestimating cracking speeds compared to your assumptions

EDIT 11/25/24
ChatGPT estimates are wrong, please don’t trust these numbers

6

In your Table 2, the following result should be 15,000 guesses/s, because the 600k PBKDF2 hashing is based on sc00bz’s estimates for ⅔ the performance of a RTX 4090 GPU.

 

Would you mind showing your work?

8

As mentioned, this is not my work but rather the output from ChatGPT after several interactions. I asked it to consider various sources on this topic (specifically the ones mentioned here), but as you can see, the results are far from perfect. I corrected it a couple of times but eventually got tired of the back-and-forth. I decided to share the estimates anyway to gather feedback and see if we could improve the tables without relying on AI, or at least assess its underestimations.

9

ChatGPT is not suitable for this type of activity, and attempting to reverse-engineer its output would be an exercise in futility. I would suggest adding your disclaimer (" ChatGPT estimates (and maths) is wrong, please don’t trust these numbers") also to your second set of results.

I’m also not going to hand-calculate over 60 results. However, if there is a specific combination of hardware, KDF, and password entropy that you’re interested in, I would consider running some additional numbers for you on a case-by-case basis.

1 Like
10

I appreciate your insights! I have run some numbers - with the help of your inputs - and I am sharing them below.

Currently, I have the following estimates based on the fastest available GPU, the Nvidia RTX 4090:

  • Plaintext: 265.3 GH/s (Chick3nman)
  • Bitwarden default settings:
    • PBKDF2-HMAC-SHA256 with 600,000 iterations: 15,000 guesses/s (Thomas)
    • Argon2id with m=64MB, t=3, p=4: Since there’s no benchmark, I’m using Thomas’s estimates. He suggests 10,000 guesses/s for Argon2id with m=49 MiB, t=1, p=1. I’m scaling this down to 3,333 guesses/s because the time required for each hash increases linearly with the number of passes. However, I’m unsure how to estimate the effects of increased memory and parallelism compared to Thomas’s recommendations. Any thoughts?

I have seen in your old post here Thomas’ recommendations to reduce the minimum rate for encryption. Any idea if he shared the KDF parameters needed to reduce guesses below <1,000/s?

Anyway, here are my calculations for the above scenarios: 265.3 billion, 15,000, and 3,333 guesses/s.

Table 1 - 265.3 Billion Guesses/s

Passphrase Entropy Possible Combinations (2^n/2) Hardware Units Hardware Investment ($) Energy Cost ($/unit) Energy Costs ($) Total Investment ($) Cracking Speed (guesses/s) Hardware Cost ($) Cracking Time (days) Power Consumption (W) Energy Cost (kWh)
38.70 223,270,238,621 0 0 39 0 0 265,300,000,000 1,500 30 450 0.12
51.70 1,829,029,794,780,360 0 4 39 0 4 265,300,000,000 1,500 30 450 0.12
64.62 14,175,171,571,228,000,000 21 30,921 39 801 31,722 265,300,000,000 1,500 30 450 0.12
77.55 110,623,187,497,319,000,000,000 160,870 241,304,366 39 6,254,609 247,558,975 265,300,000,000 1,500 30 450 0.12

Table 2 - 15,000 Guesses/s

Passphrase Entropy Possible Combinations (2^n/2) Hardware Units Hardware Investment ($) Energy Cost ($/unit) Energy Costs ($) Total Investment ($) Cracking Speed (guesses/s) Hardware Cost ($) Cracking Time (days) Power Consumption (W) Energy Cost (kWh)
38.70 223,270,238,621 6 8,614 39 223 8,837 15,000 1,500 30 450 0.12
51.70 1,829,029,794,780,360 47,043 70,564,421 39 1,829,030 72,393,451 15,000 1,500 30 450 0.12
64.62 14,175,171,571,228,000,000 364,587,746 546,881,619,260 39 14,175,171,571 561,056,790,832 15,000 1,500 30 450 0.12
77.55 110,623,187,497,319,000,000,000 2,845,246,592,009 4,267,869,888,013,860 39 110,623,187,497,319 4,378,493,075,511,180 15,000 1,500 30 450 0.12

Table 3 - 3,333 Guesses/s

Passphrase Entropy Possible Combinations (2^n/2) Hardware Units Hardware Investment ($) Energy Cost ($/unit) Energy Costs ($) Total Investment ($) Cracking Speed (guesses/s) Hardware Cost ($) Cracking Time (days) Power Consumption (W) Energy Cost (kWh)
38.70 223,270,238,621 26 38,766 39 1,005 39,771 3,333 1,500 30 450 0.12
51.70 1,829,029,794,780,360 211,714 317,571,652 39 8,231,457 325,803,109 3,333 1,500 30 450 0.12
64.62 14,175,171,571,228,000,000 1,640,808,939 2,461,213,408,012 39 63,794,651,536 2,525,008,059,548 3,333 1,500 30 450 0.12
77.55 110,623,187,497,319,000,000,000 12,804,890,153,057 19,207,335,229,585,300 39 497,854,129,150,852 19,705,189,358,736,200 3,333 1,500 30 450 0.12

Notes

  • The entropy levels used correspond to 3-word, 4-word, 5-word, and 6-word Diceware passphrases.
  • These calculations do not account for other operational costs (e.g., hardware needed to run the GPUs) or capital amortization costs. However, for a short cracking duration (30 days), one could assume the equipment could be sold at a low loss.

Remember, just 1 bit of entropy will double the costs for an attacker. In this context, every bit truly counts!

As a final note, you want the cost to crack your password to be significantly higher than the value of your secrets - ideally at least double. For added security, a cracking cost that is three to five times the value of the secrets provides a larger buffer against potential attacks. I’d appreciate any feedback on this approach!

11

Change cracking time ratiometrically with memory, as with iterations. For practical purposes, ignore parallelism.

This is not authoritative but follows extensive discussion of those factors based on research of Argon2 papers and formal advice therein.

1 Like
12

I have just realised that I could use Thomas’ inequality directly to estimates the rate with m >= 64MiB, t=3 :
65536 (64MiB) >= (960,000,000,000/x/1024)/(3*3-1)*0,95 →
x >= 1696.36
Considering RTX 4090 as 1.5 GPU, that’s around 2555 hashes/s

Although I am not sure if the numbers are correct, since I don’t understand how using the inequality he came up with the result of 49MiB for 10,000 hashes/s on the RTX. Maybe it is because α≈95% and I consider α=95%?

Thanks