8

I've been trying to look for the answer, but the latest one I found was outdated by three years. So what are the recommended scrypt cost factors for 2016?

Anders
  • 64,406
  • 24
  • 178
  • 215
Awn
  • 480
  • 4
  • 15

1 Answers1

7

In general, use the maximum cost factor that is bearable from a performance perspective. I would create a benchmark application which is as close as possible to what your application does, and find out the cost factor on your production hardware that gives you the maximum tolerable delay.

In most systems, I strive for a 10 to 20 ms delay. Assume your attacker has hardware that is, say, 1000 times more powerful than yours (which is not unreasonable, given that scrypt cannot be GPU-accelerated), he can try 105 guesses per second. For a 10-character alphanumeric password, that's 2610 passwords, or about 1014 potential guesses. That would take 109 seconds, or 31 years. Sounds acceptable to me.

If you want to use even higher delays, remember that scrypt is memory hard. This means it uses a (relative) lot of memory, in the order of megabytes, for each verification, so having a lot of them running in parallel might be more of a performance hit than the absolute processing power required.

Have a look at Security.stackexchange.com "Recommended # of iterations when using PKBDF2-SHA256?" for a good analysis of the same subject on PBKDF2.