> You're assuming all your important software does that many iterations.
Trust nothing. KeePass let's you choose the number of iterations, and can autocalibrate. I believe it calibrated mine to >1mil iterations. I use KeePass to generate the passwords for pretty much everything else, except TrueCrypt (which uses ~1,000 iterations, but it's far more complicated than that). So the number of iterations everything else does is unimportant.
> You're also underestimating how massively parallel GPUs are becoming.
I'm a Bitcoin miner and developer. I know exactly how parallel GPUs, FPGAs, and theoretical cracking ASICs are. Only ASICs would be able to achieve 1 TH/s of cost effective cracking power, which is where I spec'd my estimate. Suffice it to say, that number I quoted is an underestimate; it would take a real attacker much, much longer. Unless we're talking about organized crime or the government here, in which case you can look forward to them spending a year of their entire computational power on just little ole you.
> The more important question is - why settle for 53 bits and worry about it?
That is why I asked what your criteria is. A line must be drawn somewhere. Humans aren't good at generating and/or memorizing passphrases. So picking a reasonable threshold is important. If 30 years of security against an unreasonably powerful attacker is not enough, what is?
I agree that if you pre-hash your passwords 1 million times yourself, then it's much safer than using the password directly. You're basically slowing down the bruteforce attack by a factor of a million, which is equivalent to adding log2(1M) = 20 more bits.
53 bits is definitely not enough to protect anything important. I, personally, use 30 character passwords for anything mildly important, like email, which is around 170 bits. For bitcoins I go 40 characters - that's around 230 bits.
Trust nothing. KeePass let's you choose the number of iterations, and can autocalibrate. I believe it calibrated mine to >1mil iterations. I use KeePass to generate the passwords for pretty much everything else, except TrueCrypt (which uses ~1,000 iterations, but it's far more complicated than that). So the number of iterations everything else does is unimportant.
> You're also underestimating how massively parallel GPUs are becoming.
I'm a Bitcoin miner and developer. I know exactly how parallel GPUs, FPGAs, and theoretical cracking ASICs are. Only ASICs would be able to achieve 1 TH/s of cost effective cracking power, which is where I spec'd my estimate. Suffice it to say, that number I quoted is an underestimate; it would take a real attacker much, much longer. Unless we're talking about organized crime or the government here, in which case you can look forward to them spending a year of their entire computational power on just little ole you.
> The more important question is - why settle for 53 bits and worry about it?
That is why I asked what your criteria is. A line must be drawn somewhere. Humans aren't good at generating and/or memorizing passphrases. So picking a reasonable threshold is important. If 30 years of security against an unreasonably powerful attacker is not enough, what is?