If you store all of your passwords in a password manager, you might be worried about someone trying to hack it by brute-forcing their way in.
The best way to avoid this is by using a strong, random password, which will be impossible for a hacker to brute force. However, with the constant advances in computing power and hacking techniques, the bar for how strong your password should be is constantly increasing.
Luckily, there is a way to significantly improve the security of your password manager, without increasing the complexity of your password, and without much effort on your part.
All you have to do is change a single setting in your password manager: the number of password iterations (also known as key transformations). Basically, when you input the master password into your password manager in order to access your database, the software transforms this password multiple times before checking its validity (a process known as key stretching).
The more times the password is transformed, the longer it takes to check whether a certain password is correct, and the longer it will take someone to brute force their way into your database.
KeePass, for example, currently specifies a default value of 6,000 transformations. However, on most modern computers you could easily change that number to several million transformations, without experiencing a noticeable increase in the time it takes the software to load your database when you input the correct password.
This means that if you increase the number of transformation to 6,000,000, a hacker will now take 1,000 times as long to crack your password, while the program will still load almost instantaneously when you input the correct password.
In fact, KeePass lets you set the number of transformation so that it takes the computer approximately 1 second to check the password. On modern computers, these values can often far exceed the 6 million transformations.
Keep in mind that the loading time will vary for different devices; this will be especially noticeable if you access the password manager on mobile, so make sure you’re not setting the value too high for that.
Likewise, the optimal value might be different if you use an online service, such as LastPass, which currently recommends not exceeding 10,000 password iterations for client-side encryption (compared to the default 5,000), though they do allow users to go as high as 200,000.
The setting itself is generally easy to find on all platforms. In KeePass, for example, you will go to File > Database Settings > Security. In LastPass you go to Account Settings > General > Show Advanced Settings > Password Iterations.
One more thing worth noting: while this post focused on password managers, this advice is also applicable to other types of encryption software. VeraCrypt, for example, allows you to set the number of iterations used for encrypting volumes, using their Personal Iterations Multiplier.
Summary and Conclusions
- The master password to your password manager undergoes multiple transformations/iterations before being verified; this number scales linearly with the time required to check whether a certain password is correct.
- By increasing the number of transformations, you can easily improve the security of your password database, without increasing the complexity of the password.
- This will lead to a negligible increase in software loading time for you, but will significantly increase the time it takes to brute force the password.
- When setting the number of transformations, make sure to account for any differences in the processing power of the devices you will use to log in, especially if you use mobile.
- Instructions on how to do this are generally easy to find. If unsure, search for ‘software name + key transformations’ or ‘software name + password iterations’.