Minimum Password Settings

Last updated on August 10th, 2022

bscrypt (best)

m=256 (256 KiB), t=8, p=1
m=256 (256 KiB), t=4, p=2
m=256 (256 KiB), t=3, p=3

In general:
m=highest per core cache level in KiB
t≥max(2, 1900000/1024/m/p)
p≤cores

bcrypt

Cost 9

Technically it's like ~8.1 but it's an integer. This should be about 5.3 kH/s on an RTX 3080 12GB.

Argon2

Argon2{id,d}: m=44*1024 (44 MiB), t=1, p=1
Argon2{id,d}: m=18*1024 (18 MiB), t=2, p=1
Argon2: m=11*1024 (11 MiB), t=3, p=1
Argon2: m=8*1024 (8 MiB), t=4, p=1
Argon2: m=7*1024 (7 MiB), t=5, p=1

In general:
Argon2i: m≥89062.5/(3*t-1)*α, t≥3, p=1
Argon2{id,d}: m≥89062.5/(3*t-1)*α, t≥1, p=1
RTX 3080 12GB memory bandwidth: 89,062.5 = 912,000,000,000/10,000/1024
For low memory usage (≲64 MiB) α≈95%. Once memory usage is high enough α drops proportional to memory increase.

scrypt

N=2^17 (128 MiB), r=8, p=1
N=2^16 (64 MiB), r=8, p=2
N=2^15 (32 MiB), r=8, p=3
N=2^14 (16 MiB), r=8, p=5
N=2^13 (8 MiB), r=8, p=9

In general:
scrypt: N≥570000/r/p*α, r=8, p≥1
RTX 3080 12GB memory bandwidth: 570,000 = 912,000,000,000/10,000/128/1.25
For low memory usage (≲64 MiB) α≈95%. Once memory usage is high enough α drops proportional to memory increase.

PBKDF2 (worst)

PBKDF2-HMAC-SHA512: 130,000 iterations (Based on RTX 3080 12GB)
PBKDF2-HMAC-SHA256: 350,000 iterations (Based on RX 6800 XT)
PBKDF2-HMAC-SHA1: 860,000 iterations (Based on RX 6800 XT)

Info

Minimum good password settings for authentication cause an attacker to get <10 kH/s/GPU. A "GPU" is a current high-end but not super high-end GPU. Currently it is either an RTX 3080 12GB (note benchmarks are for the 10GB version (12GB is ~2.94% faster) and there is a newer hashcat version increases speed of bcrypt by ~10%) or an RX 6800 XT. Basically a GPU with an MSRP of about $700 in 2015 USD.

These are ordered in best to worst. Just use bcrypt. Only use PBKDF2 if you must use it. PBKDF2 is a bad algorithm because it is slow for the defender and fast for the attacker.