I appreciate your insights! I have run some numbers - with the help of your inputs - and I am sharing them below.
Currently, I have the following estimates based on the fastest available GPU, the Nvidia RTX 4090:
- Plaintext: 265.3 GH/s (Chick3nman)
- Bitwarden default settings:
- PBKDF2-HMAC-SHA256 with 600,000 iterations: 15,000 guesses/s (Thomas)
- Argon2id with m=64MB, t=3, p=4: Since there’s no benchmark, I’m using Thomas’s estimates. He suggests 10,000 guesses/s for Argon2id with m=49 MiB, t=1, p=1. I’m scaling this down to 3,333 guesses/s because the time required for each hash increases linearly with the number of passes. However, I’m unsure how to estimate the effects of increased memory and parallelism compared to Thomas’s recommendations. Any thoughts?
I have seen in your old post here Thomas’ recommendations to reduce the minimum rate for encryption. Any idea if he shared the KDF parameters needed to reduce guesses below <1,000/s?
Anyway, here are my calculations for the above scenarios: 265.3 billion, 15,000, and 3,333 guesses/s.
Table 1 - 265.3 Billion Guesses/s
| Passphrase Entropy | Possible Combinations (2^n/2) | Hardware Units | Hardware Investment ($) | Energy Cost ($/unit) | Energy Costs ($) | Total Investment ($) | Cracking Speed (guesses/s) | Hardware Cost ($) | Cracking Time (days) | Power Consumption (W) | Energy Cost (kWh) | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 38.70 | 223,270,238,621 | 0 | 0 | 39 | 0 | 0 | 265,300,000,000 | 1,500 | 30 | 450 | 0.12 | |
| 51.70 | 1,829,029,794,780,360 | 0 | 4 | 39 | 0 | 4 | 265,300,000,000 | 1,500 | 30 | 450 | 0.12 | |
| 64.62 | 14,175,171,571,228,000,000 | 21 | 30,921 | 39 | 801 | 31,722 | 265,300,000,000 | 1,500 | 30 | 450 | 0.12 | |
| 77.55 | 110,623,187,497,319,000,000,000 | 160,870 | 241,304,366 | 39 | 6,254,609 | 247,558,975 | 265,300,000,000 | 1,500 | 30 | 450 | 0.12 |
Table 2 - 15,000 Guesses/s
| Passphrase Entropy | Possible Combinations (2^n/2) | Hardware Units | Hardware Investment ($) | Energy Cost ($/unit) | Energy Costs ($) | Total Investment ($) | Cracking Speed (guesses/s) | Hardware Cost ($) | Cracking Time (days) | Power Consumption (W) | Energy Cost (kWh) | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 38.70 | 223,270,238,621 | 6 | 8,614 | 39 | 223 | 8,837 | 15,000 | 1,500 | 30 | 450 | 0.12 | |
| 51.70 | 1,829,029,794,780,360 | 47,043 | 70,564,421 | 39 | 1,829,030 | 72,393,451 | 15,000 | 1,500 | 30 | 450 | 0.12 | |
| 64.62 | 14,175,171,571,228,000,000 | 364,587,746 | 546,881,619,260 | 39 | 14,175,171,571 | 561,056,790,832 | 15,000 | 1,500 | 30 | 450 | 0.12 | |
| 77.55 | 110,623,187,497,319,000,000,000 | 2,845,246,592,009 | 4,267,869,888,013,860 | 39 | 110,623,187,497,319 | 4,378,493,075,511,180 | 15,000 | 1,500 | 30 | 450 | 0.12 |
Table 3 - 3,333 Guesses/s
| Passphrase Entropy | Possible Combinations (2^n/2) | Hardware Units | Hardware Investment ($) | Energy Cost ($/unit) | Energy Costs ($) | Total Investment ($) | Cracking Speed (guesses/s) | Hardware Cost ($) | Cracking Time (days) | Power Consumption (W) | Energy Cost (kWh) | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 38.70 | 223,270,238,621 | 26 | 38,766 | 39 | 1,005 | 39,771 | 3,333 | 1,500 | 30 | 450 | 0.12 | |
| 51.70 | 1,829,029,794,780,360 | 211,714 | 317,571,652 | 39 | 8,231,457 | 325,803,109 | 3,333 | 1,500 | 30 | 450 | 0.12 | |
| 64.62 | 14,175,171,571,228,000,000 | 1,640,808,939 | 2,461,213,408,012 | 39 | 63,794,651,536 | 2,525,008,059,548 | 3,333 | 1,500 | 30 | 450 | 0.12 | |
| 77.55 | 110,623,187,497,319,000,000,000 | 12,804,890,153,057 | 19,207,335,229,585,300 | 39 | 497,854,129,150,852 | 19,705,189,358,736,200 | 3,333 | 1,500 | 30 | 450 | 0.12 |
Notes
- The entropy levels used correspond to 3-word, 4-word, 5-word, and 6-word Diceware passphrases.
- These calculations do not account for other operational costs (e.g., hardware needed to run the GPUs) or capital amortization costs. However, for a short cracking duration (30 days), one could assume the equipment could be sold at a low loss.
Remember, just 1 bit of entropy will double the costs for an attacker. In this context, every bit truly counts!
As a final note, you want the cost to crack your password to be significantly higher than the value of your secrets - ideally at least double. For added security, a cracking cost that is three to five times the value of the secrets provides a larger buffer against potential attacks. I’d appreciate any feedback on this approach!