Minimum Password Settings

Last updated on December 29th, 2022

bscrypt (best)

m=256 (256 KiB), t=9, p=1
m=256 (256 KiB), t=5, p=2
m=256 (256 KiB), t=3, p=3

In general:
m=highest per core cache level in KiB
t≥max(2, 21,000,000,000/10,000/1024/m/p)
p≤cores
Based on the soon to be released RTX 4070 Ti

bcrypt

Cost 9

Based on RTX 4090 as "1.5 GPUs"

Argon2

Argon2{id,d}: m=47104 (46 MiB), t=1, p=1
Argon2{id,d}: m=19456 (19 MiB), t=2, p=1
Argon2: m=12288 (12 MiB), t=3, p=1
Argon2: m=9216 (9 MiB), t=4, p=1
Argon2: m=7168 (7 MiB), t=5, p=1

In general:
Argon2i: m≥93,750/(3*t-1)*α, t≥3, p=1
Argon2{id,d}: m≥93,750/(3*t-1)*α, t≥1, p=1
Based on RX 7900 XTX's memory bandwidth: 93,750 = 960,000,000,000/10,000/1024
For low memory usage (≲64 MiB) α≈95%. Once memory usage is high enough α drops proportional to memory increase.

scrypt

N=2^17 (128 MiB), r=8, p=1
N=2^16 (64 MiB), r=8, p=2
N=2^15 (32 MiB), r=8, p=3
N=2^14 (16 MiB), r=8, p=5
N=2^13 (8 MiB), r=8, p=10

In general:
scrypt: N≥600000/r/p*α, r=8, p≥1
Based on RX 7900 XTX's memory bandwidth: 600,000 = 960,000,000,000/10,000/128/1.25
For low memory usage (≲64 MiB) α≈95%. Once memory usage is high enough α drops proportional to memory increase.

Parallel PBKDF2

PPBKDF2-SHA512: cost 2 (Based on RTX 4090 as "1.5 GPUs")
PPBKDF2-SHA256: cost 5 (Based on RTX 4090 as "1.5 GPUs")
PPBKDF2-SHA1: cost 10 (Based on RTX 4090 as "1.5 GPUs")

PBKDF2 (worst)

PBKDF2-HMAC-SHA512: 210,000 iterations (Based on RTX 4090 as "1.5 GPUs")
PBKDF2-HMAC-SHA256: 600,000 iterations (Based on RTX 4090 as "1.5 GPUs")
PBKDF2-HMAC-SHA1: 1,300,000 iterations (Based on RTX 4090 as "1.5 GPUs")

Info

Hashing algorithms are ordered best to worst. When in doubt "just use bcrypt". Only use PBKDF2 if you must use it. PBKDF2 is a bad algorithm because it is slow for the defender and fast for the attacker.

Minimum good password settings for authentication cause an attacker to get <10 kH/s/GPU. A "GPU" is a current high-end but not super high-end GPU due to diminishing returns in performance per cost. Basically a GPU with an MSRP of about $700 in 2015 USD (which is about $900 in 2022). Currently a "GPU" is one of the following: an RTX 4070 Ti, 2/3 speed of an RTX 4090, or an RX 7900 XTX.

Super high-end cards used to be 1.5x-2x the price and 25%-50% faster (ie diminishing returns) but the RTX 4090 is the best performance per cost GPU (about 16% higher than an RTX 4070 Ti). Since the RTX 4090 vs the RTX 4070 Ti is 4 vs 3 slots (1.33x and 2x vs older generations), 450 vs 285 watts (1.58x), and $1600 vs $900 (1.78x), I'm going to call the RTX 4090 "1.5 GPUs". Also you can easily put two RTX 4090s vs three RTX 4070 Ti in a case with a standard power supply. I debate on whether to ignore the RTX 4090 or call it 1 to 2 GPUs. I settled with calling it 1.5 GPUs.

If the RTX 4090 is considered as a single GPU then bcrypt in increases to cost 10 ("9.3" up from "8.7"). Argon2 increases to 49 MiB (t=1), 20 MiB (t=2), and 13 MiB (t=3). PPBKDF2 increases to cost 3 (SHA512), cost 7 (SHA256), and cost 15 (SHA1). PBKDF2 increases to 320,000 (SHA512); 890,000 (SHA256); and 2,000,000 (SHA1). And everything else stays the same.