what are appropriate PBKDF2 settings?

Question

I have a few questions about what are appropriate PBKDF2 settings. I googled for answers and came up mostly empty handed.

Basically, I would like to know what are appropriate values for the input pbkdf2.php (found here) considering the state of technology in 2012. What will give me a reasonable expectation that the passwords I encode will not be hackable by non governmental entities for the next few years?

Here is what I am considering:

define("PBKDF2_HASH_ALGORITHM", "sha512");
define("PBKDF2_ITERATIONS", 20000);
define("PBKDF2_SALT_BYTES", 512);
define("PBKDF2_HASH_BYTES", 512);

I understand that there are many other things that come into play to create good security. Here is a synopsis of other security measures I am using:

• 12 digit password with at least 2 numbers, 2 letters, and two symbols
• required password changes every 6 months
• php mysqli prepared statements for all database access
• tokens on all my forms
• 5 second delay for incorrect logins,
• blacklist after 10 incorrect logins from the same IP
• incorrect logins and blacklist trigger the same response
• HTTPS
• I am using session and I change the session identifier every 10 pages and on sensitive pages, every time the page is accessed.

Am I missing anything?

Answer 1

There's no one right answer to this question because different applications call for different levels of security. The right thing to do is to benchmark your application, and use as high a setting as your server(s) can comfortably deal with in a responsive manner. (Under load tests, of course)

You're already much more secure than the average system just by implementing PBKDF2 in the first place rather than a "fast", "message digest"-like algorithm, such as MD5 or SHA-1.

Answer 2

Just as an example, the default settings for sha512crypt in most modern Linux distros ($6$ in /etc/shadow entries) uses 5000 iterations and 16 bytes of salt. That is plenty slow. But I'm not going to criticize you for overkill when it comes to hashing ;)