Another way is to use cryptographic hash functions that have large memory requirements – these can be effective in frustrating attacks by memory-bound adversaries.
Consequently, this attack remains vulnerable if unprotected against certain time-memory tradeoffs such as developing rainbow tables to target multiple instances of the enhanced key space in parallel (effectively a shortcut to repeating the algorithm).
[6] With multi-million gate FPGAs costing less than $100,[7] an attacker can build a fully unrolled hardware cracker for about $5,000.
[citation needed] Similarly, modern consumer GPUs can speed up hashing considerably.
For example, in a benchmark, a Nvidia RTX 2080 SUPER FE computes over 10 billion SHA1 hashes per second.
The first deliberately slow password-based key derivation function "CRYPT" was described in 1978 by Robert Morris for encrypting Unix passwords.
The iteration count, designed for the PDP-11 era, is too low, 12 bits of salt is an inconvenience but does not stop precomputed dictionary attacks, and the eight-character limit prevents the use of stronger passphrases.
Modern password-based key derivation functions, such as PBKDF2, use a cryptographic hash, such as SHA-2, a longer salt (e.g. 64 bits) and a high iteration count.
The U.S. National Institute of Standards and Technology (NIST) recommends a minimum iteration count of 10,000.
[12] In 2013, a Password Hashing Competition was held to select an improved key stretching standard that would resist attacks from graphics processors and special purpose hardware.