What is “iteration count” and why is decreasing it a bad idea?
Iteration count is the number of PBKDF2 iterations a passphrase is put through before it is used to unlock a key-slot. Iterations are done with the explicit purpose to increase the time that it takes to unlock a key-slot. This provides some protection against use of low-entropy passphrases. The idea is that an attacker has to try all possible passphrases. Even if the attacker knows the passphrase is low-entropy (see last item), it is possible to make each individual try take longer. The way to do this is to repeatedly hash the passphrase for a certain time. The attacker then has to spend the same time (given the same computing power) as the user per try. With LUKS, the default is 1 second of PBKDF2 hashing. Example 1: Lets assume we have a really bad passphrase (e.g. a girlfriends name) with 10 bits of entropy. With the same CPU, an attacker would need to spend around 500 seconds on average to break that passphrase. Without iteration, it would be more like 0.0001 seconds on a modern CP
