1,000 PBKDF2 iterations is far too weak to protect most passwords

[scrod]

I strongly encourage you to use a far higher number of iterations when deriving encryption keys. At even 13,000 iterations (the equivalent of spending 100ms in PBKDF2 on a Core i7), 8 letter passwords are trivially crackable. At only 1,000 iterations, the user's password will need to be very long to provide the same level of security, and many people may not realize this when choosing their password.

You can use the CommonCrypto framework to estimate the number of iterations needed to engage the user's machine for a period of (for example) 5 seconds:

uint rounds = CCCalibratePBKDF(kCCPBKDF2,
                               [password length],
                               [salt length],
                               kCCPRFHmacAlgSHA1,
                               CC_SHA1_DIGEST_LENGTH),
                               5000);

And of course if claims about scrypt are to be believed, then you might consider switching your key derivation function entirely.

[sreitshamer]

Arq now uses 200,000 iterations. We need to update arq_restore.

[arqbackup]

We finally updated arq_restore to work with Arq 5-created backups.