[messaging] Secure OpenPGP Key Pair Synchronization via IMAP (RFC)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Apr 13 00:26:32 PDT 2015


On Fri 2015-04-10 04:38:47 -0400, Tankred Hase wrote:
> [ Daniel Roesler wrote: ]
>> Also, in the same vein, Django's default is 24,000 iterations[2].
>> LastPass uses 100,000[3]. Any particular reason you settled on 10,000?
>
> The "password" being stretched is a 24 char code generated with a
> prng, so I'm not sure how much entropy more iterations would add. We
> chose 10k mainly due to the performance constraints of JS runtimes.

I don't think the iterations of PBKDF2 are present to provide entropy at
all; they're present to increase the work factor of a CPU-bound attacker
who is brute-forcing a password list.

              --dkg


More information about the Messaging mailing list