[md_]

> There exists no computer system than can crack an AES256 encrypted document. The weaknesses are in the protocol.

Well, or in the human-chosen passphrase. There are plenty of systems that can brute force an 8-character alphanumeric password run through PBKDF2 for 100,000 rounds.

Per https://support.1password.com/pbkdf2/, that costs...about $60k.

So keeping the ciphertext safe is in fact a very reasonable precaution, especially if you have a fairly short input passphrase or are not using a ton of rounds of key stretching.

[twicetwice]

I simply use a 40ish character passphrase. My primary attack vectors are keyloggers/local malware and browser/extension vulnerabilities, which also apply to a local ciphertext.

[SavantIdiot]

You are correct: if the password used to create the key is trivial, then there definitely exists hardware that can guess AES256 passwords even if a KDF is used weakly.

I'm not sure how to read that table. Is that really the cost for a 100,000 iteration PBKDF2?!?

[md_]

I have not checked 1Password's math--they just come up in the results for "PBKDF2 cost of brute forcing". ;)

But yes, it matches my intuition--brute forcing human-strength keys is surprisingly cheap. (And I don't know if they're taking into account the discount if you have custom ASICs for this, defend against which is the argument made for scrypt instead.)