Rfc2898DeriveBytes IterationCount purpose and best practices

Question

What is the purpose of the IterationCount property of the Rfc2898DeriveBytes class. MSDN doesn't shed too much light on it, but it does say that 1,000 is the recommended minimum.

If I'm going to set it to 1,000, why not 1,000,000 or 1,000,000,000? Is there a reason behind the recommendation of 1,000, and is there a best practice for determining what value is right for each use case?

Answer 1

Rfc2898DeriveBytes implements PBKDF2. This algorithm uses a salt and key stretching to create a relatively safe key from a password (normal length passwords are not that safe). To make it harder to brute force passwords it uses the iteration count (which is the linear cost added to create the key). The cost is identical for the legit user as well as for the attacker, but the attacker has to iterate through all possible passwords.

There is no standardized amount; basically you set it to such a value that is acceptable regarding CPU performance for you. 1000 is the recommended value within the standard, but that standard has been around for some years. Nowadays you should start with about 10K minimum⁺, anything above makes it harder for an attacker to find a password that generated the same "key".

⁺ [EDIT] Please lookup the current recommended number of iterations. Be warned that Moore's law is still in effect and that PBKDF2 itself does not use a exponential scale for the iteration count. Make sure the other password handling routines are secure as well (password strength feedback, maximum number of retries etc.).

Obviously more important keys should be better protected. Note that generating a really secure password has more influence than adding iterations - using both a good password and high iteration count is of course best.