Bitwarden to increase its server-side iterations to 600,000

CrimsonChin · January 31, 2023, 3:51pm

Bitwarden to increase its server-side iterations to 600,000; here’s how to set it manually

With all the discussion here recently about security, and password managers I thought folks might find this useful.

https://www.ghacks.net/2023/01/31/bitwarden-to-increase-its-server-side-iterations-to-600000-heres-how-to-set-it-manually/

PseudorandomNoise · February 1, 2023, 3:13pm

Good tip, thanks for posting!

But anyone who listens to SN will agree - Bitwarden needs to come up with a way to prompt users to make this change on the client side. Happening automatically would be ideal, but if not a simple reminder popup would be better than nothing.

dalemsmith · February 26, 2023, 12:45pm

Thanks to a tip I heard listening to an episode of Security Now on Twit.tv, I learned you can increase the KDF iterations to 2,000,000. I did this a month ago or so and can’t tell the difference on any of my devices.

Leo · February 26, 2023, 5:44pm

Better yet, once all your clients have updated to 2023.2 you can choose Argon2 for your key derivative function. It’s memory hard so not brute-forceable via GPU.

miquelfire · February 27, 2023, 8:51pm

Once I figure how to test the speed, I plan on seeing how well my Chromebook tablet can handle Argon2. I think it’s the slowest machine I have with browser extensions right now. I recently had to log in to my vault, and it hung for a good while.

AndrewMC · March 5, 2023, 10:03pm

Just spent some time helping get my father setup with Bitwarden. They have been using simple passwords for far too long and I truly think 2fa is the only thing keeping their accounts secure. One thing I am hopeful is that bit warden will make some drastic improvements to their auto-fill and automatic password generation features. Lastpass did have this down pat, it could tell when you were on a site it knew or didn’t know, and offer to generate a new password and automatically save it.

Regardless it’s nice at the end of it all, even with the frustration of changing everything, to know everything is more secure. Be patient with the parents, they can be taught

PseudorandomNoise · March 7, 2023, 2:30pm

Can you please ask for Steve’s comment on these default values. Should we adjust any of these, or are they fine as is? I believe I saw something saying that going above 128MB for KDF Memory might cause problems on iOS.

Leo · March 8, 2023, 6:21pm

I will ask Steve, but I’ve done some research and the default values are widely deemed to be fine. The biggest change is moving to Argon2. I’ve done it with the default values without issues.

The one value that’s meaningless is KDF parallelism. For now, Bitwarden’s software only uses one thread. But, it’s harmless to leave it as is.

And remember, all this is only meaningful if you have a weak master password. A long random master password is the best protection.

For reference:

PseudorandomNoise · March 8, 2023, 8:46pm

Thanks! I’m sure I’m overthinking this but after having to cope with the reality that 600 of my passwords, my drivers license number and credit card info are all in the hands of… who the frack knows!.. I just really want to be careful. I’d greatly appreciate hearing Mr. S. Tiberius Gibson’s thoughts on the defaults.