Key Derivation (PBKDF2)
TorrinPass uses PBKDF2 (Password-Based Key Derivation Function 2) to transform your master password into a secure encryption key.
Why Key Derivation?
Section titled “Why Key Derivation?”Your master password might be “MyDog2024!” — memorable but not directly usable as an encryption key. PBKDF2:
- Stretches your password into a 256-bit key
- Slows down brute-force attacks
- Adds salt to prevent rainbow table attacks
Our Configuration
Section titled “Our Configuration”| Parameter | Value |
|---|---|
| Algorithm | PBKDF2-HMAC-SHA256 |
| Iterations | 210,000 |
| Output | 256-bit key |
| Salt | 32 bytes, unique per user |
Why 210,000 Iterations?
Section titled “Why 210,000 Iterations?”More iterations = slower key derivation = harder to brute-force.
| Password Manager | Iterations |
|---|---|
| TorrinPass | 210,000 |
| 1Password | 100,000 |
| LastPass | 100,100 |
| Bitwarden | 100,000 |
| OWASP Recommendation | 210,000 |
We follow OWASP’s 2023 recommendation for PBKDF2-SHA256.
How It Works
Section titled “How It Works”Master Password: "MyDog2024!" +Salt: [32 random bytes, unique to you] ↓PBKDF2-HMAC-SHA256 (210,000 iterations) ↓256-bit Master Encryption Key (MEK)Brute-Force Protection
Section titled “Brute-Force Protection”With 210,000 iterations, an attacker trying to guess your password faces:
- 1 guess takes ~0.2 seconds on a modern CPU
- 1 million guesses takes ~2.3 days
- 1 billion guesses takes ~6.3 years
And that’s per password attempt. A strong master password makes this effectively impossible.
Salt: Preventing Rainbow Tables
Section titled “Salt: Preventing Rainbow Tables”Each user has a unique 32-byte salt. This means:
- Pre-computed password tables are useless
- Each user’s key derivation is unique
- Same password → different keys for different users