Enable advanced users to increase the iteration count above 2m with a warning.
Currently 2 million iterations is a hard ceiling.
Replace the hard error with an “are you sure, this will be really really slow on older devices” kind of prompt.
Related topics + references
While this is sufficient for most attackers today, it may not be future proof. To prevent future offline attacks against a vault stolen today, allowing the paranoid to configure any number of iterations would add safety to a strong master password.
Surely 2,000,000 iterations of PBKDF2 takes all (but the worst passwords) out of the realm of brute forcing.
If 2 million isn’t enough then I think we need a better algorithm that is resistant to GPUs.
BTW I understands Argon2 requires more memory so limits the parallelism of an attack because the GPU will exhaust it’s memory before using all it’s cores. How much Benefit is Argon2 over PBKDF2?
I know you can’t say definitively so I’m looking for an educated guess here,
I’d be open to a solution that provides an alternate algorithm. My main concern is that whatever password stretching we get of the process needs to be very future proof. The whole affair with Lastpass made me realize that I have 100s of credentials that I’m never going to be able to roll, and those are forevermore only as secure as the lastpass iteration count at the time of the breach. 10 years from now that might be a trivial obstacle to overcome. It’s likely to be less trivial if I severely over-index on the password stretching technique. I don’t mind waiting a second (or three) to sign in if that would limit the attacker of 2035 in a meaningful way.
A much better strategy for future-proofing your vault is to strengthen your master password. Even going from 100,000 iterations (the default in the past 5 years) to 6,000,000 iterations (in order to reduce cracking speeds to 1000 guesses per second per GPU, as recommended by Steve Thomas) is not as effective as simply adding a single random character to your master password. Adding a single random word to your master password is more than 100× more effective than increasing the iteration count from 100k to 6 million.