Firstly, the $6 figure is wrong, because at the time 1Password used 100,000 iterations.[1] Currently, 1Password states:
Extrapolating from a cracking challenge we ran, we estimate it costs an optimized attacker working at scale between 30 and ~40 US dollars to make 232 guesses against PBKDF2-SHA256 with 650,000 iterations.
(Also, @AtomicBug note that this has nothing to do with 1Password’s secret key, which does add additional security on top of the estimate above, but I won’t be covering that in this post. You can read their security design paper to learn more about that.)
I do not know how this compares to Hive System’s because I don’t really understand their testing methodology.
Also note that 1Password’s cracking challenge was completed far before the A100 even existed, so I don’t put too much faith in their “extrapolated” estimates holding up in the modern world. The real cost is undoubtedly somewhere between 1Password’s and Hive’s estimates, but I don’t know where it would land. Hive didn’t do any estimates with PBKDF2-SHA256, so their data isn’t directly applicable here.
Secondly, password hashing (what bcrypt does) is completely different from key derivation (what PBKDF2 is), which is what password managers need.
As the Wikipedia article @Critical_Crab5543 linked to says:
It is important to note that bcrypt is not a key derivation function (KDF). For example, bcrypt cannot be used to derive a 512-bit key from a password.
So bcrypt is completely irrelevant for password managers or other applications that are encrypting data using your password. It is only relevant for password hashing for regular websites.
What would be more secure than PBKDF2 is Argon2, but 1Password explains why everyone is using PBKDF2 succinctly:
The choice of PBKDF2-HMAC-SHA256 as our slow hash is largely a function of there being (reasonably) efficient implementations available for all our clients. While we could have used a more modern password hashing scheme, any advantage of doing so would have been lost by how slowly it would run within JavaScript in most web browsers.
Because key derivation is performed by the client (so the server never needs to see the password) we are constrained in our choices by our least efficient client. The Makwa password hashing scheme 13, however, is a possible road forward because it allows some of the computation to be passed to a server
For the sake of completeness, yes, I know there is one password manager claiming to use bcrypt:
Proton uses bcrypt for authentication because their authentication model is different than most password managers.
Under the hood, Proton actually uses OpenPGP S2K for their key derivation function.
Proton’s security is the equivalent of putting your password into bcrypt, taking the resulting hash, and then using that hash as the passphrase for your OpenPGP key.
It’s an interesting setup that really makes no sense for anyone to do unless you are basing all of your encryption on PGP like Proton is. For everyone else who can just do their own encryption without worrying about legacy PGP stuff, using a single function that is built for this purpose like PBKDF2 makes a lot more sense.
To be honest, S2K is far worse than PBKDF2, and Proton’s bcrypt solution is a hacky solution. I would be very sure to use a long and high entropy password with Proton, instead of only relying on bcrypt. On the other hand, you are (mostly) perfectly safe using a crap password with 1Password, because your account security is guaranteed with their separate high-entropy Secret Key. Other password managers like Bitwarden are somewhere in the middle.
PGP will eventually use Argon2, but I haven’t heard any additional news about that since Proton’s post in 2023 about it.
Edit: Apparently OpenPGP 6 with Argon2 support came out at the end of last year, so maybe Proton will support it soon.
↩︎Accounts created prior to January 27, 2023 and have not changed their account password or Secret Key since this date, will use a lower iteration count. The iteration count can be updated to the current standard value by changing either the account password or Secret Key.