Yeah, they picked parameters from a standard that is currently stronger than the OWASP recommendation: Password Storage - OWASP Cheat Sheet Series
Although people also keep pointing out that these numbers, including the 600,000 round PBKDF2, is for storing password hashes.
The application (authentication vs. encryption) is somewhat arbitrary. The benchmark tests that the OWASP recommendations are based on simply establish the configuration that results in a hash calculation rate of 10,000 hashes/second on a single GPU that has a MSRP of around $1k (in today’s dollars) — i.e., “a current high-end but not super high-end GPU”.
Excellent! That seems to be a number used by zxcvb as well (10K/sec, slow hash).
I understand (and more or less agree with) your point, but note that I had said “to complete the Argon2id calculations for every possible word permutation” (emphasis added).
My point stands. You can adequately protect your vault with a sufficiently strong master password. For a 4-word random passphrase using even default KDF settings (600k iterations of PBKDF2-SHA256), if subjected to a brute-force attack using a RTX 4090 GPU, the attacker will have 100% probability of success if they continuously generate word permutations for 7729 years. They will have a 50% probability of success if they stop guessing after only 3865 years, or a 1% probability of success if they abort their attack after 77 years.
The odds of winning the jackpot of MegaMillions lottery have been estimated at about 1 in 300 million (0.0000003%), Thus, running the hypothetical attack described above for about 15 min would have a probability of success equivalent to the probability of winning the lottery. However, increasing the passphrase length to 5 words would force the attacker to keep computing non-stop for about 75 days just to raise their chance of success to a level that matches the chances of winning the MegaMillions jackpot. At this point, a rational attacker would just go out and buy a lottery ticket instead of spending almost a quarter of a year trying to guess your passphrase (not to mention the fact that the electricity cost associated with running a 450-watt GPU 24/7 for this length of time amounts to about 50× the cost of a lottery ticket).
Put another way — when the attacker’s electricity costs are equivalent to the cost of a lottery ticket, their chances of cracking a 5-word passphrase is about 50× lower than their chances of winning the lottery jackpot. No hacker is going to bother with such an attack unless the contents of your vault have a valuation in the billions of dollars.