Ask the Community. My understanding is that a strong master password should still be secure even with a low number of KDF iterations, but for a product like a password manager, the bar should probably be higher than that. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. Memory (m) = . I think the . Bitwarden has also recently added another KDF option called Argon2id, which defends against GPU-based and side-channel attacks by increasing the memory needed to guess a master password input. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. With the warning of ### WARNING. Check the kdfIterations value as well, which presumably will equal 100000. 12. Making just one more comment, because your post is alluding to password managers in general, Bitwarden uses a completely different KDF, in their case, PBKDF-HMAC-SHA256, which is only CPU hard, and not memory hard. Then edit Line 481 of the HTML file — change the third argument. 5s to 3s delay or practical limit. Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. Then edit Line 481 of the HTML file — change the third argument. For scrypt we could get by, by setting the work factor N (which influences both computation and memory) and store this in the KDF Iterations (although ideally a user could configure the other parameters too). Okay. We recommend a value of 600,000 or more. Bitwarden currently has a default setting of 100,001 iterations client-side with an additional 100,000. However, what was more sharply criticized was the failure of LastPass to migrate older accounts to their new default, with many older accounts being left at 5,000 iterations and even reports of accounts with the iterations set to as low as 1. Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. In the 2023. For scrypt there are audited, and fuzzed libraries such as noble-hashes. Password Manager. Addition info from the team, does this sound like the issue: [Android] When account it set to maximum 2,000,000 PBKDF iterations cannot log on · Issue #2295 · bitwarden/mobile · GitHub I changed my KDF from 100k to 300k, so nowhere near that limit, and I am unable to login to the web vault. Yes and it’s the bitwarden extension client that is failing here. Therefore, a. LastPass had (and still has) many issues, but one issue was allowing low iterations (1 or 500) on their KDF. On the cli, argon2 bindings are used (though WASM is also available). The user probably wouldn’t even notice. 1 was failing on the desktop. Do keep in mind Bitwarden still needs to do QA on the changes and they have a 5 week release cycle. On the cli, argon2 bindings are. If your keyHash value is from later than June 9, 2021, you will need to save a copy of the HTML code of this webpage. Low KDF iterations. Bitward setting for PBKDF2 is set low at 100,001 and I think 31,039,488 is better . log file is updated only after a successful login. Our default is 100,000 iterations, the Min allows for higher performance at the user's discretion but the key length combined with the password still makes this relatively. However, what was more sharply criticized was the failure of LastPass to migrate older accounts to their new default, with many older accounts being left at 5,000 iterations and even reports of accounts with the iterations set to as low as 1. 995×807 77. The slowness of the Argon2id algorithm can also be adjusted by increasing the number of iterations required, but Argon2id also provides for other adjustments that can make it. Based on the totality of the evidence available to date (as summarized above), my best guess is that the master password hash stored in the cloud database became corrupted when you changed the KDF iterations. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. Exploring applying this as the minimum KDF to all users. 2. At our organization, we are set to use 100,000 KDF iterations. (The key itself is encrypted with a second key, and that key is password-based. On the typescript-based platforms, argon2-browser with WASM is used. The user probably wouldn’t even notice. With the ambiguity in some of the Bitwarden staff responses, it is difficult to say at this time what is going on. Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. I have created basic scrypt support for Bitwarden. 2 Likes. I don’t think this replaces an automatic migration or at least global notifications for iterations set below the default, but it is still a good suggestion. So I go to log in and it says my password is incorrect. Now I know I know my username/password for the BitWarden. 5 million USD. Not sure if this is already on the @Quexten’s and Bitwarden devs’ list of things to do, but I think it would be very helpful to update the Interactive Cryptography Tool to include an implementation of the new Argon2 KDF Support (including the ability for users to test the settings for iterations, memory, and parallelism parameters). On the typescript-based platforms, argon2-browser with WASM is used. Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. This was mentioned as BWN-01-009 in Bitwarden’s 2018 Security Assessment, yet there we are five years later. Among other. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. I'm curious if anyone has any advice or points of reference when it comes to determining how many iterations is 'good enough' when using PBKDF2 (specifically with SHA-256). Low KDF alert: A new alert will appear in the web app when a user's KDF iterations are lower than. Great additional feature for encrypted exports. Therefore, a rogue server could send a reply for. If your keyHash value is from later than June 9, 2021, you will need to save a copy of the HTML code of this webpage. We recommend a value of 600,000 or more. Both the admin web server side and my Bitwarden clients all currently show a KDF iterations value of 100000. (which influences both computation and memory) and store this in the KDF Iterations (although ideally a user could configure the other parameters too). (for a single 32 bit entropy password). Among other. Scroll further down the page till you see Password Iterations. Gotta. Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on devices with slower CPUs. Bitwarden currently has a default setting of 100,001 iterations client-side with an additional 100,000. Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. You can just change the KDF in the. No, the OWASP advice is 310,000 iterations, period. If you want to do manual brute-force guesses, go to Bitwarden’s interactive cryptography tool. It’s only similar on the surface. Source: personal experience with a low-end smartphone taking 10-15s to unlock the vault with max KDF iterations count. I don’t think this replaces an automatic migration or at least global notifications for iterations set below the default, but it is still a good suggestion. Amongst other weak points in the attack, LastPass was found to have set the iterations to a low count, which is considered an insecure practice. I would suggest getting in touch with tech support, in case there is anything they can do to diagnose or fix your problem. The current KDF, PBKDF2 uses little to no memory, and thus scales very well on GPUs which have a comparatively low amount o… Ok, as an update: I have now implemented scrypt for the mobile clients. The user probably wouldn’t even notice. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. For comparison KDF iterations: 4 KDF memory (MB): 256 Concurrency KDF: 4 takes about 5 seconds. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. Password Manager. On a sidenote, the Bitwarden 2023. I guess I’m out of luck. Click the Change KDF button and confirm with your master password. I myself switched to using bitwarden_rs, which is compatible with the bitwarden clients. Under “Security”. ), creating a persistent vault backup requires you to periodically create copies of the data. Now I know I know my username/password for the BitWarden. Reply rjack1201. The point of argon2 is to make low entropy master passwords hard to crack. We recommend that you. On the typescript-based platforms, argon2-browser with WASM is used. OK fine. In this case, we recommend to use a relatively low value for the Argon2 memory parameter (64 MB or less, depending on the app and the database size) and a relatively high number of iterations. I thought it was the box at the top left. Instead of KDF iterations, there is a “Work Factor” which scales linearly with memory and compute. Among other. ? Have users experienced issues when making this change to an existing Bitwarden account? I know the CYA answer is to always backup the data, which I would do, but I would like to be aware of any potential problems that might arise. ), creating a persistent vault backup requires you to periodically create copies of the data. And low enough where the recommended value of 8ms should likely be raised. Exploring applying this as the minimum KDF to all users. LastPass uses the standard PBKDF2 (Password-Based Key Derivation Function 2). This setting is part of the encryption. alfonsojon (Jonathan Alfonso) May 4, 2023, 2:46pm 1. It will cause the pop-up to scroll down slightly. The point of argon2 is to make low entropy master passwords hard to crack. log file gets wiped (in fact, save a copy of the entire . On a sidenote, the Bitwarden 2023. Security expert, Dmitry Chestnykh, had mentioned this problem in 2020 , yet it still remains unresolved. I had never heard of increasing only in increments of 50k until this thread. Bitwarden can do a lot to make this easier, so in turn more people start making backups. The default parameters provide stronger protection than 600,000 PBKDF2 iterations, and you may get the additional protection without any performance loss. Higher KDF iterations can help protect your master password from being brute forced by an attacker. OK fine. The point of argon2 is to make low entropy master passwords hard to crack. Bitwarden Community Forums. We recommend a value of 600,000 or more. 1 was failing on the desktop. Note:. Among other. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. 10. I don’t think this replaces an automatic migration or at least global notifications for iterations set below the default, but it is still a good suggestion. Mobile: The C implementation of argon2 was held up due to troubles building for iOS. More is better, up to a certain point. Whats_Next June 11, 2023, 2:17pm 1. Passwords are chosen by the end users. This is equivalent to the effect of increasing your master password entropy by 2 bits, because log2(2000000/500000) =. In contrast, increasing the length of your master password increases the. My account was set to 100000 by default!! To change it log into your WebUI and go to Account > Security > Keys. Among other. Higher KDF iterations can help protect your master password from being brute forced by an attacker. We recommend a value of 600,000 or more. ago. Can anybody maybe screenshot (if. Unless there is a threat model under which this could actually be used to break any part of the security. Vaultwarden works! More data, on the desktop I downgraded the extension for FF to 2022. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. 1 was failing on the desktop. I appreciate all your help. 2 Likes. log file is updated only after a successful login. Exploring applying this as the minimum KDF to all users. app:web-vault, cloud-default, app:all. You should switch to Argon2. 2 or increase until 0. However, what was more sharply criticized was the failure of LastPass to migrate older accounts to their new default, with many older accounts being left at 5,000 iterations and even reports of accounts with the iterations set to as low as 1. I didn’t realize it was available as I had been looking in the extension and desktop apps, not realizing a different option existed in the web vault. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. )This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. With the ambiguity in some of the Bitwarden staff responses, it is difficult to say at this time what is going on. log file is updated only after a successful login. My understanding is that a strong master password should still be secure even with a low number of KDF iterations, but for a product like a password manager, the bar should probably be higher than that. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. GitHub - quexten/clients at feature/argon2-kdf. 9,603. Question about KDF Iterations. Bitwarden is abiding by these new recommendations, and when you log into the Bitwarden web app you may see a message saying your KDF Iterations setting is too low. Can anyone share which part of this diagram changes from 100,000 to 2,000,000. The number of items stored in your vault will not affect the time to complete the KDF calculations during login or unlocking, as the KDF ("Key Derivation Function") is only for the purpose of deriving the account encryption key, which is the symmetric. Instead of KDF iterations, there is a “Work Factor” which scales linearly with memory and compute. 10. The user probably wouldn’t even notice. New Bitwarden accounts will use 600,000 KDF iterations for. I just found out that this affects Self-hosted Vaultwarden as well. The user probably wouldn’t even notice. The client has to rely on the server to tell it the correct value, and as long as low settings like 5,000 iterations are supported this issue will remain. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. Addition info from the team, does this sound like the issue: [Android] When account it set to maximum 2,000,000 PBKDF iterations cannot log on · Issue #2295 · bitwarden/mobile · GitHub I changed my KDF from 100k to 300k, so nowhere near that limit, and I am unable to login to the web vault. Based on the totality of the evidence available to date (as summarized above), my best guess is that the master password hash stored in the cloud database became corrupted when you changed the KDF iterations. Dear Community I searched this community and the web in general, but I did not find a solution for my problem yet, no matter what I tried. I don’t think this replaces an automatic migration or at least global notifications for iterations set below the default, but it is still a good suggestion. Therefore, a rogue server could send a reply for. On the cli, argon2 bindings are. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. Your master password is used to derive a master key, using the specified number of. Therefore, a rogue server could send a reply for. I don’t think this replaces an automatic migration or at least global notifications for iterations set below the default, but it is still a good suggestion. I have created basic scrypt support for Bitwarden. Should your setting be too low, I recommend fixing it immediately. Exploring applying this as the minimum KDF to all users. Another KDF that limits the amount of scalability through a large internal state is scrypt. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. There's just no option (from BW itself) at all to do this other than to go manually and download each one. Iterations are chosen by the software developers. Unless there is a threat model under which this could actually be used to break any part of the security. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. I have created basic scrypt support for Bitwarden. Kyle managed to get the iOS build working now,. I had never heard of increasing only in increments of 50k until this thread. pub const CLIENT_KDF_ITER_DEFAULT: i32 = 5_000; Was wondering if there was a reason its set so low by default, and if it shouldn't be 100,000 like Bitwarden now uses for their default? Or possibly a configurable option like how PASSWORD_ITERATIONS is. I'm curious if anyone has any advice or points of reference when it comes to determining how many iterations is 'good enough' when using PBKDF2 (specifically with SHA-256). iOS limits app memory for autofill. Exploring applying this as the minimum KDF to all users. Change the ** KDF iterations** to 600000 (Six Hundred Thousand) or higher! Keep in mind that this doesn't do you much good however if you have a weak master password. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. The point of argon2 is to make low entropy master passwords hard to crack. Addition info from the team, does this sound like the issue: [Android] When account it set to maximum 2,000,000 PBKDF iterations cannot log on · Issue #2295 · bitwarden/mobile · GitHub I changed my KDF from 100k to 300k, so nowhere near that limit, and I am unable to login to the web vault. I don’t think this replaces an. Bitwarden has never crashed, none. ddejohn: but on logging in again in Chrome. A small summary of the current state of the pull requests: Desktop/Web: Mostly done, still needs qa testing for all platforms. 5. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. Feel free to resume discussion on Github: Discussions · bitwarden/server · GitHub Discussions · bitwarden/clients · GitHub Discussions · bitwarden/mobile · GitHubI think the . 3 KB. This pull request changes the export and import to remove the hardcording, such that they work with different iteration counts and different KDF types. •. Unless there is a threat model under which this could actually be used to break any part of the security. Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. No adverse effect at all. Not sure if this is already on the @Quexten’s and Bitwarden devs’ list of things to do, but I think it would be very helpful to update the Interactive Cryptography Tool to include an implementation of the new Argon2 KDF Support (including the ability for users to test the settings for iterations, memory, and parallelism parameters). Among other. LastPass got in some hot water for their default iterations setting bein… My understanding is that a strong master password should still be secure even with a low number of KDF iterations, but for a product like a password manager, the bar should probably be higher than that. This setting is part of the encryption process and everyone that uses Bitwarden needs to update it. If you want to do manual brute-force guesses, go to Bitwarden’s interactive cryptography tool. Addition info from the team, does this sound like the issue: [Android] When account it set to maximum 2,000,000 PBKDF iterations cannot log on · Issue #2295 · bitwarden/mobile · GitHub I changed my KDF from 100k to 300k, so nowhere near that limit, and I am unable to login to the web vault. Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. Feature function Allows admins to configure their organizations to comply with. Therefore, a rogue server. If changing your iteration count triggers a re-encryption, then your encryption key is derived from your password. a_cute_epic_axis • 6 mo. Instead of KDF iterations, there is a “Work Factor” which scales linearly with memory and compute. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. 2. ” From information found on Keypass that tell me IOS requires low settings. Where I agree with the sentiment is when users panicked because they realized that Bitwarden hadn't immediately updated the default KDF iterations from 100k to 310k when OWASP changed their recommendations in 2021, and weren't automatically updating existing users' KDF configurations when the recommendation increased to 600k earlier. Question about KDF Iterations. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. 1. The user probably wouldn’t even notice. My understanding is that a strong master password should still be secure even with a low number of KDF iterations, but for a product like a password manager, the bar should probably be higher than that. Exploring applying this as the minimum KDF to all users. In this case, we recommend to use a relatively low value for the Argon2 memory parameter (64 MB or less, depending on the app and the database size) and a relatively high number of iterations. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. The point of argon2 is to make low entropy master passwords hard to crack. json: csp should be "extension page*s*", and add wasm-unsafe-eval so we can load the wasm. The user probably wouldn’t even notice. The KDF iterations increase the cracking time linearly, so 2,000,000 will take four times as long to crack (on average) than 500,000. If all of your devices can handle it (looking at you, Android), you could just bump up to 2,000,000 and be done second-guessing yourself. There are many reasons errors can occur during login. Exploring applying this as the minimum KDF to all users. Security Now podcast did a follow-up to the last episode on the LastPass debacle and one of the things that Steve Gibson mentioned is that vault providers need to move away from PBKDF2 and the number of hash iterations to an algorithm that is resistant to GPU attacks. The point of argon2 is to make low entropy master passwords hard to crack. The user probably wouldn’t even notice. Feature name Provide a way for an admin to configure the number of minimum KDF iterations for users within an organization. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. Hacker NewsThe title of the report is: "KDF max iterations is [sic] too low", hence why I asked what you felt a better max number would be, so if the issue is the min number, that's different. If your keyHash value is from later than June 9, 2021, you will need to save a copy of the HTML code of this webpage. log file is updated only after a successful login. I also appreciate the @mgibson and @grb discussion, above. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. 1 was failing on the desktop. The user probably wouldn’t even notice. Higher KDF iterations can help protect your master password from being brute forced by an attacker. Set minimum KDF iteration count to 300. log file is updated only after a successful login. Expand to provide an encryption and mac key parts. With the warning of ### WARNING. ), creating a persistent vault backup requires you to periodically create copies of the data. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. OK, so now your Master Password works again?. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. Unless there is a threat model under which this could actually be used to break any part of the security. With the warning of ### WARNING. 4. Can anybody maybe screenshot (if. Anyways, always increase memory first and iterations second as recommended in the argon2. Then edit Line 481 of the HTML file — change the third argument. ## Code changes We just inject the stateservice into the export service to get the KDF type and iterations, and write them into the exported json/use them to encrypt. As for me I only use Bitwardon on my desktop. Check the upper-right corner, and press the down arrow. If you want to do manual brute-force guesses, go to Bitwarden’s interactive cryptography tool. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. 2 Likes. Shorten8345 February 16, 2023, 7:50pm 24. On the typescript-based platforms, argon2-browser with WASM is used. I had never heard of increasing only in increments of 50k until this thread. The point of argon2 is to make low entropy master passwords hard to crack. Provide a way for an admin to configure the number of minimum KDF iterations for users within an organization. I just set it to 2000000 (2 million) which is the max that bitwarden currently allows (Dec 27th 2022) login times: pixel 6 : ~5 seconds lenovo Thinkpad P1 gen 3 (manufactured/assembled 11/16/2020) with Intel(R) Core(TM) i7-10875H 8/16 HT core : ~5 secondsThe server limits the max kdf iterations (even for the current kdf) to an insecure/low value. The user probably. Ask the Community Password Manager. Exploring applying this as the minimum KDF to all users. Also, check out. Increased default KDF iterations for PBKDF2: New Bitwarden accounts will use 600,000 KDF iterations for PBKDF2, as recommended by OWASP. Mobile: The C implementation of argon2 was held up due to troubles building for iOS. Changed my master password into a four random word passphrase. Bitwarden Increases KDF iterations to 600k for new accounts and double-encrypts data at rest. This strengthens vault encryption against hackers armed with increasingly powerful devices. In the thread that you linked, the issue was that OP was running third-party server software that is not a Bitwarden product, and attempting to use a Bitwarden client app to log in to their self-hosted server that was running incompatible software. trparky January 24, 2023, 4:12pm 22. With the warning of ### WARNING. Also, to cover all the bases, are you sure that what you were using every day to unlock your vault. Set the KDF iterations box to 600000. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. It has also changed. For Bitwarden, you max out at 1024 MB; Iterations t: number of iterations over the memory. The try it again with Argon2id, using the minimum settings for memory (16 MiB) and iterations (2. In contrast, Dmitry Chestnykh wrote a well-researched piece in 2020 (with an update in January 2023) that describes exactly how a brute-force attack against a stolen Bitwarden vault would be possible using only 100,000 PBKDF2 iterations (or the KDF iteration value set by the user) per password guess, and even proposed an improved authentication. Vaultwarden works! More data, on the desktop I downgraded the extension for FF to 2022. The KDF iterations increase the cracking time linearly, so 2,000,000 will take four times as long to crack (on average) than 500,000. After changing that it logged me off everywhere. Currently, as far as I know, Bitwarden is the only password manager that offers the ability to directly import their password-protected . If a user has a device that does not work well with Argon2 they can use PBKDF2. Bitwarden Community Forums Argon2 KDF Support. ddejohn: but on logging in again in Chrome. We recommend a value of 600,000 or more. We recommend a value of 600,000 or more. By the way, Sends (which I don’t really use) also have 100K fixed pbkdf2. I have created basic scrypt support for Bitwarden. log file is updated only after a successful login. Going to see if support can at least tell me when my password was last changed (to rule out a very implausible theory), and at the very least see if it’s possible for them to roll my vault back to my old password,. Thanks… This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. There's no "fewer iterations if the password is shorter" recommendation. Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on slower or older devices. The user probably wouldn’t even notice. We are in the process of onboarding an organization and I would like to be able to set a security baseline by having a default KDF iteration count for all accounts on the organization level. Exploring applying this as the minimum KDF to all users. The point of argon2 is to make low entropy master passwords hard to crack. If you want to do manual brute-force guesses, go to Bitwarden’s interactive cryptography tool. This operation logs the user out of all accounts in any event so it should be relatively low friction to update the KDF iterations simultaneously. Good to. Next, go to this page, and use your browser to save the HTML file (source code) of that page. Unless there is a threat model under which this could actually be used to break any part of the security. Yes and it’s the bitwarden extension client that is failing here. It's set to 100100. Unless there is a threat model under which this could actually be used to break any part of the security. Low KDF alert: A new alert will appear in the web app when a user's KDF iterations are lower than industry recommendations, currently 600,000 iterations. Now it works! Seems to be a bug between the BitWarden extension and a Vault that has 100000 KDF iterations. The KDF iterations increase the cracking time linearly, so 2,000,000 will take four times as long to crack (on average) than 500,000. The hash credential to login to Bitwarden servers is only 1 PBKDF2 iteration from the vault master key. With the warning of ### WARNING. That seems like old advice when retail computers and old phones couldn’t handle high KDF. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways. According to comments posted by Quexten at Bitwarden's community forums, the company has a 5-week release cycle, so we could expect Argon2 support to be added next month on all platforms if the tests are successful. Kyle managed to get the iOS build working now,. Change the ** KDF iterations** to 600000 (Six Hundred Thousand) or higher! Keep in mind that this doesn't do you much good however if you have a weak master password. This is equivalent to the effect of increasing your master password entropy by 2 bits, because log2(2000000/500000) = log2(4) = 2. Due to the recent news with LastPass I decided to update the KDF iterations. For scrypt there are audited, and fuzzed libraries such as noble-hashes. It’s only similar on the surface. But they don’t even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didn’t really feel like taking on considering how low the risk for a send is anyways.