Update: PBKDF2 work factors increased

[KevinAtSesam]

Previously

• Update PBKDF2 work factors according to RTX4000 #1043 #1055
• Update: Password Storage Cheatsheet #1043

What is missing or needs to be updated?

The current PBKDF2 recommendation is based on information from early 2023, and as such it might no longer reflect the current risks. Since PBKDF2 is still part of the NIST standard, it is important to keep these recommendations updated.

NIST is working on a revised standard though, so this problem will not be forever.

How should this be resolved?

Unsure, should we wait for actual tests with the NVidia 5000 series before we update these numbers? Can we make a rough estimate?

[jmanico]

cc @Sc00bz

[Sc00bz]

TL;DR PBKDF2 might increase by the smallest amount. bcrypt, Argon2, and scrypt will remain unchanged. But we should wait for benchmarks. Also there could be architecture changes that increase or decrease cracking speed.

---

The RTX 4090 was weird because it had a better cost/performance than all other GPUs (for computationally hard password hashing algorithms), but it was huge, power hungry, and costed 60% more. So I called it "1.5 GPUs". With the 50 series we return to normality, RTX 5080 will be a "GPU" which should be a little faster (~2.3%) than "RTX 4090 as 1.5 GPUs". Also the RTX 5080 will be the GPU for computationally hard, cache hard, and memory hard password hashing algorithms. Which simplifies things. Well unless AMD's new GPUs are better.

bcrypt might change but that depends on details for the 50 series compute capability "10.1". In this chart the "Maximum amount of shared memory per thread block", if it's again 96-99 KiB then no changes. If it's 163-227 KiB (like older data center cards) then bcrypt will likely be bumped from cost 9 to 10... Just remembered it's already cost 10 (it was a compromise).

I wonder if ~2.3% will change any... Oh maybe but not by much. I round up to the next 2 significate digit number of iterations needed to get 10 kH/s.

Current (RTX 4090 as 1.5 GPUs):

• PBKDF2-HMAC-SHA1: 1,300,000 iterations ("1,274,960")
• PBKDF2-HMAC-SHA256: 600,000 iterations ("591,047")
• PBKDF2-HMAC-SHA512: 210,000 iterations ("208,060")

According to RTX 4090 benchmark and adjusted to RTX 5080 specs:

• PBKDF2-HMAC-SHA1: 1,400,000 iterations ("1,304,842")
• PBKDF2-HMAC-SHA256: 610,000 iterations ("604,899")
• PBKDF2-HMAC-SHA512: 220,000 iterations ("212,936")

Note these are best guesses without benchmarks. These should not be updated until confirmed. There could be architecture changes that increase or decrease cracking speed. We won't know until probably a few weeks or a month after release.

[KevinAtSesam]

Note these are best guesses without benchmarks. These should not be updated until confirmed. There could be architecture changes that increase or decrease cracking speed. We won't know until probably a few weeks or a month after release.

Sound good. We should approach this problem with empirical evidence. It's good to have this discussion on the agenda, and perhaps we're all lucky and the impact of the 50 series is limited.

[KevinAtSesam]

Metrics!

We have benchmarks for SHA-512 hashing with Hashcat!
https://www.phoronix.com/review/nvidia-geforce-rtx5080-linux/3

5090: 8878450000 h/s
4090: 6266200000 h/s
4080: 3940250000 h/s
5080: 3822050000 h/s

This means that the 5090 is 40% better in pure hashing compared to the 4090

Judgement

Not sure how we should approach this. Increasing the iteration count by 40% sounds rather harsh, and it's also of diminishing use.

[Sc00bz]

A 4090 was 1.5 GPUs because of price, size, and power. A 5090 would be 2 GPUs. We're back to normal with the 5080 being 1 GPU.

They are using an old version of Hashcat. Also SHA-512 isn't always a good benchmark for PBKDF2 with HMAC SHA-512. There's early exit and more passwords generated when doing SHA-512.

Oh this 4090 got 7483.4 MH/s vs 6266.2 MH/s for SHA-512. So those benchmarks might not be tuned correctly.