Sorcerer's Isle cfPassphrase Documentation

Tuning Algorithm Params

All the algorithms available with cfPassphrase are designed to be tunable - that is, they have parameters which can be modified to ensure the algorithms are not made out of date as hardware power increases.

There is no single value that will work for everyone, though the general rule of thumb is: as high as possible, but not so high that usability suffers.

If you pick parameter values that result in a ten second time to hash, this will be more secure than if it takes one second - but a lot more people will complain if it takes ten seconds to login!

Remember also that slow hashing is not a substitute for good passphrase practise. The ever increasing speed of computing, and existence of specialised hardware, mean that it is important to educate your users about secure passphrases.

BCrypt

Rounds

The BCrypt rounds parameter is an integer which is raised as a power of two to calculate the iterations.

The default 16 rounds results in 2^16, or 65536 iterations.

Specify as many rounds as you can, and never go below 10.

PBKDF2

Iterations

The PBKDF2 iterations parameter can be any positive whole number (it is not required to be a power of two).

The default is 86,000 iterations - more is better. Never go below 10,000.

SaltBytes

This parameter determines the size of the generated salt, in bytes.

The purpose of a salt is to prevent attackers from pre-computing lookup tables. It is recommended to use a salt which is the same length as the hash.

The default value is 24 bytes. It is not recommended to go below 8 bytes.

HashBytes

This parameter determines the number of bytes output by the hash function. It should be at least as large as the output of the key derivation function.

The PBKDF2 default value is 24 bytes.

Notes

PBKDF2 uses the HmacSHA1 function, which outputs 160 bits (20 bytes).

SCrypt

There is limited information available for SCrypt. The values below come from Colin Percival's original paper/presentation - I haven't found clear information on when the latter two parameters should be increased.

The names here come from the Java implementation used and are not referenced in the original paper - it is likely that they will be renamed to be consistent with other implementations.

The higher level parameters maxtime/maxmemfrac/maxmem have yet to be implemented.

CpuCost

This parameter is also referred to as N, and is the number of iterations. It must be a power of 2.

The default value is 65536 (2^16). It is recommended to use at least 16384 (2^14).

MemoryCost

This parameter is also referred to as r and controls the blocksize for the underlying hash, which affects the relative memory cost.

The default value is 8.

Parallelization

The parallelization factor can be used to fine-tune the relative CPU cost. It is also referred to as p.

The default value is 1.

Notes

SCrypt uses a 128-bit salt and a 256-bit derived key from the HmacSHA256 function.