Yeah he does make that assumption. But the point is still valid: The problem here wasn't PBKDF2.
Sure, using a memory intensive KDF like Argon2id is to be advised. But acting like they could encrypt it because PBKDF2 was used is at the very least misleading. We can say, with very high certainty, that the encryption could not have been broken if: 1. a secure password was beeing used (truly random, long enough) 2. the police didn't found out the password another way (e.g. watching him type it in, it was beeing used somewhere else, it was written down, ...)
However, we cannot say that the encryption wouldn't have been broken if argon2id was beeing used, because that would depend on how insecure the password is. But then, the root cause here would still be, that the password is insecure, not that PBKDF2 is beeing used.
If the password would have been 20 random characters (letters and numbers and 8 special characters = 70 options per character) it would take 390 trillion years to brute force all possible options. And that would be for MD5 Hashed passwords using 10000 x A100 GPUs. So realistically, PBKDF2 would take way longer (don't have hashing rates for PBKDF2 to calculate). Even 14 random letters would currently take 3323 years to brute force.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
the problem is the password
Date: 2023-05-06 12:04 pm (UTC)Sure, using a memory intensive KDF like Argon2id is to be advised. But acting like they could encrypt it because PBKDF2 was used is at the very least misleading. We can say, with very high certainty, that the encryption could not have been broken if:
1. a secure password was beeing used (truly random, long enough)
2. the police didn't found out the password another way (e.g. watching him type it in, it was beeing used somewhere else, it was written down, ...)
However, we cannot say that the encryption wouldn't have been broken if argon2id was beeing used, because that would depend on how insecure the password is. But then, the root cause here would still be, that the password is insecure, not that PBKDF2 is beeing used.
If the password would have been 20 random characters (letters and numbers and 8 special characters = 70 options per character) it would take 390 trillion years to brute force all possible options. And that would be for MD5 Hashed passwords using 10000 x A100 GPUs. So realistically, PBKDF2 would take way longer (don't have hashing rates for PBKDF2 to calculate). Even 14 random letters would currently take 3323 years to brute force.