Architecture vs Brute-Force: What I Learned Benchmarking KDFs for my Thesis

The article discusses the trade-off between user verification time and the brute-force cost for an attacker when choosing a Key Derivation Function (KDF). The author benchmarked Argon2id, Bcrypt, and PBKDF2 across different hardware tiers to identify their real-world breaking points. The results show that Argon2id is the most secure option due to its memory-hard design, while PBKDF2 is the least secure due to its low memory requirement. The author provides normalized parameters for each algorithm to maximize security while maintaining a consistent user experience. Engineers should consider these results when choosing parameters for a password manager.