Argon2 - Cross-platform performance is actually quite good

I read that a potential reason why Argon2 might not be used is because it’s not “hardware accelerated”. I decided to play around with several different implementations of Argon2, like Keepass, npm node package, and some arbitrary javascript implementation to run in a web browser. They were all within a factor of each other. Some a security standpoint, that’s a “1 bit” difference.

Also less than a factor difference between Samsung S7, Intel i5, Samsung S20.

Other than development time, I see no reason to not do this. May want to warn the user about setting memory too high. May also want to have some way to test how long it will take for a calculation. A simple page with the config options and a timer would suffice.

It may not be the case it’s entirely about hardware acceleration per se, but hardware in general.

Argon2 looks to be optimized primarily for x86 multi-core and appears to derive its security from memory-hard functions.

Bitwarden must run on a range of architectures, all of which may not have the available RAM to perform large memory-hard processes.

Argon2 is completely configurable. You can do MiB to GiB and beyond. The end user just needs to be aware what platforms they plan on using it. For me it’s desktops with 32-64GiB of memory and cellphones with 6-12GiB.

It effectively comes down to this. pbkdf2 uses almost no memory at all, allowing a GPU to scale nearly perfectly with all of its thousands of cores. Setting Argon2 to even 8MiB would render most GPUs ineffective. It’s not just a total memory issue, but random memory access. Even if a GPU could handle the memory cost, they’re highly optimized for sequential access and limited shared cache.

The main thing is to make it optional, configurable, and maybe come with a decent warning when beyond certain memory parameters.

That’s true about pbkdf2, but 6-12GB for phones seems high (not everyone has a flagship).

Those GPU-accelerated attacks have to run through something like 100,000 iterations of pbkdf2 (customizable per account) per test, and they’re salted so any given attack would be specific to an individual user account.

Is anyone else using Argon2 yet? I think LastPass is still pbkdf2.

You’re probably right, though, going forward. PBKDF2 won’t last forever.

You don’t need a “flagship” phone to benefit. Even a few MiB would make all of the difference. And 6GiB is for a 4 year old flagship that I can get for free with a $40/m cellphone plan on a 2 year contract.

100,000 iterations isn’t a whole lot. Modern GPUs can crank through about 50mil hashes per second, which is about 500 passwords a second. Not much, but enough for a dedicated attack. Custom asic can do about 16 trillion hashes per second, which would be 160,000,000 passwords per second.

The bitcoin network is processing about 74 quintillion hashes per second, or at 100k hashes per attempt, about 74 trillion passwords per second.

Instead of GPUs being 1000x faster and asics being 1,000,000x faster than your CPU, they would be about the same speed at best. This is the main issue with pbkdf2. It’s only slow on your device, but fast for attackers. Argon2 levels the playing field.