I was just now updating some security stuff in bitwarden, and I wanted to change to argon2 kdf, however the iteration count seems way too low. The current max count is 10, which results in very fast execution times.
Using the maximum reasonable settings results in less than 200ms, which is potentially not very secure. Ideally, I would like the execution time to take at least 1 second on my fastest device, and less than 5 seconds on my slowest device.
I understand there needs to be a limit to protect users from themselves, but 10 is way too low and is leaving at least 800ms of additional margin on the table in my specific case.
Please see this post for why I can’t raise the memory consumption.
Using slightly better settings is an improvement, but this isn’t really a good result. Using 64M is probably okay, but going much higher could result in failing to unlock the vault according to various posts.
The ideal situation would be to just allow more iterations. It’s a simple fix to this specific problem.
Thanks, that might actually fix my problem, I’ll have to play around with it. I might have misread when they were talking about alternate unlocking mechanisms.
I still think 10 is probably too low of a limit, especially in memory constrained environments, the devs should probably take a look at that.
In the initial PR, the max iterations were 1024. This lead to QA soft-locking (>30 min unlock time) themselves out of their account. I feel like there could be a slightly better balance, but some users will always max out the settings, even if it’s not reasonable in their case.
Besides that, half a second of argon2 is still orders of magnitude above most PBKDF2 settings that take multiple seconds, when it comes to cracking resistance. Unless your master-password is exceptionally weak, this setting is secure (as in, will take a motivated attacker too many resources, both time and computational cost wise to make it worth it to crack your account, if they had obtained an encrypted copy).
I don’t disagree with anything you said, but I would like to reiterate that if I am willing to wait 1-5 seconds while my device spins, I am leaving some security on the table if it takes less than that. 1024 is probably too high, but a limit of 50-100 is much more reasonable.
I agree that argon2 is probably enough with 500ms, but systems should not be designed to only be secure against attacks today. There should be extra margin anywhere it makes sense to keep pace with improvements in computing and cryptanalysis.