About PBKDF2
Password-Based Key Derivation Function 2 (PBKDF2) makes it harder for someone to guess your account password through a brute-force attack.
PBKDF2 prevents password cracking tools from making the best use of graphics processing units (GPUs), which reduces guess rates from hundreds of thousands of guesses per second, to less than a few tens of thousands of guesses per second.
Cracking cost for different generation schemes
| Generation scheme | Bits | Cost (USD) | Example |
|---|---|---|---|
| 8 char, with lowercase, digits | 40.00 | 770 | 2wd74wmq |
| 7 char, with uppercase, lowercase, digits | 40.47 | 1,100 | zCm6hTb |
| 3 syl, constant separator, capitalize one | 41.50 | 2,200 | austEerkkrug |
| 3 word, constant separator | 42.48 | 4,300 | prithee-insured-buoyant |
| 3 word, constant separator, capitalize one | 44.07 | 13,000 | Dent-impanel-minority |
| 9 char, with lowercase, digits | 45.00 | 25,000 | azdr3oqxc | 8 char, with uppercase, lowercase, digits | 46.25 | 58,000 | 8NhJqHPY | 3 syl, digit separator, capitalize one | 48.15 | 220,000 | Best0jogh2gno | 3 word, digit separator | 49.13 | 430,000 | swatch2forte1dill | 10 char, with lowercase, digits | 50.00 | 790,000 | fovav9v6ot | 3 word, digit separator, capitalize one | 50.71 | 1,300,000 | saute7docket3Bungalow | 9 char, with uppercase, lowercase, digits | 52.03 | 3,200,000 | siFc96vGw | 11 char, with lowercase, digits | 55.00 | 25,000,000 | aev7x9cgm3q | 4 syl, constant separator, capitalize one | 55.22 | 29,000,000 | paghdeygibFrom | 4 word, constant separator | 56.65 | 79,000,000 | align-caught-boycott-delete | 10 char, with uppercase, lowercase, digits | 57.81 | 180,000,000 | rm9gKDAyeY | 4 word, constant separator, capitalize one | 58.65 | 320,000,000 | gable-drought-Menthol-stun | 12 char, with lowercase, digits | 60.00 | 810,000,000 | 8cjfqtzj7yx3 | 4 syl, digit separator, capitalize one | 65.19 | 29,000,000,000 | ket5Nor0koul7toss | 4 word, digit separator | 66.61 | 79,000,000,000 | convoy2chant3calf9senorita | 4 word, digit separator, capitalize one | 68.61 | 310,000,000,000 | ultima2jagged9Absent7vishnu | 5 word, constant separator | 70.81 | 1,400,000,000,000 | passion-ken-omit-verso-tortoise | 5 word, digit separator | 84.10 | 14,000,000,000,000,000 | slain9dynast5try6punch8licensee |
How 1Password uses PBKDF2
1Password uses PBKDF2 in the process of deriving encryption keys from your account password. Learn more about the key derivation process in the 1Password Security Design White Paper .
There are 650,000 iterations, or functions, of PBKDF2 in the current version of 1Password. This means anyone who tries to guess an account password needs to perform the same calculations. Any hacking attempts are virtually useless since your account password is combined with your Secret Key, which is only on your devices.
You still need a good password to protect you from an attacker who acquires your encrypted 1Password data from your device. Learn how to choose a good 1Password account password.
History of PBKDF2 in 1Password
1Password was the first password manager to use PBKDF2 with the introduction of the Agile Keychain format in 2007, which used PBKDF2-HMAC-SHA1.