Pull request for mobile argon2id now lives here:
Any idea when this will go live?
Considering the Bitwarden team is actively involved in all 3 PRs and mobile and server changes are pretty much finished, I donāt think it should take too much longer. Do keep in mind Bitwarden still needs to do QA on the changes and they have a 5 week release cycle.
Still fairly quick comparatively for any corporate software honestly IMO.
Really glad the team is so quick and ready to accept such changes and work to get them implemented.
Considering the Bitwarden team is actively involved in all 3 PRs
PR? Whatās that mean?
Still fairly quick comparatively for any corporate software honestly IMO.
Really glad the team is so quick and ready to accept such changes and work to get them implemented.
Thatās open source for you.
PR = Pull request, I.e someone writes code and suggests to (in this case) Bitwarden: āHey, there is this code I wrote, would you like to include (pull) it?ā
Oh, ok. So, considering that the core teams are involved in this, you think it wonāt be long. Good.
It seems that the password-protected JSON exports are hardcoded to use PBKDF2:
Perhaps this requires a separate PR, but it would be nice if when a user sets the hash function option to Argon2 for their vault, this setting would also be carried over to exports (and Sends).
I already have a PR for this open
By the way, Sends (which I donāt really use) also have 100K fixed pbkdf2. But they donāt even store the kdf / iterations in the database, so changing it would require another database migration / backend change which I didnāt really feel like taking on considering how low the risk for a send is anyways.
Mobile and Server support has been merged to master , only clients (Web/Desktop/Browser/CLI) is still in-progress.
Good stuff! I have one comment regarding the Argon2id default parametes as I noticed that you have chosen extremely conservative default values:
export const DEFAULT_ARGON2_MEMORY = 19;
export const DEFAULT_ARGON2_PARALLELISM = 1;
export const DEFAULT_ARGON2_ITERATIONS = 2;
It seems that the default values are based on the OWASP recommendation which I believe applies to server side operations where you may have a significant number of hashing/key derivation operations at the same time. This is not the case with Bitwarden as the key derivation is done on the client side. KeePass, for example, recommends following method to determine the memory parameter:
Find out the RAM size of each of your devices on which you want to open your database file. Let M be the minimum of these sizes. Set the memory parameter to min(M /2, 1 GB) (i.e. use the half of M , if it is less than 1 GB, otherwise use 1 GB).
I agree, they are based on OWASP. The defaults should run on all devices, so 1GiB is too large as a default. But I have suggested higher defaults on the configuration pull requests, letās see what the bitwarden team thinks on this.
OWASP recommendations are apparently cribbed from Steve Thomas, who explains the rationale for his recommendations in the Info section at the bottom of his Minimum Password Settings page. The settings are designed to throttle an attackerās hash speeds to 10kH/s/GPU. Of note is that this is the recommendation when using passwords for authentication purposes only. As Iāve noted in another post, when the password is used for encryption, hash rates should ideally be much slower (<1kH/s/GPU).
Thanks for finding this! Iāll note this on the GitHub thread aswell.
Thanks for the hard work youāre doing. Really appreciate it.
Have a nice day
Updated defaults now to Iterations = 3, Memory = 64MiB, Parallelism = 4 from RFC9106ās recommendation on āsafe defaultsā. If you have significantly worse system specs, then you can go lower. If you have higher specs on your devices you can go higher.
The recommended defaults in RFC9106 also specify ā128-bit salt, and 256-bit tag sizeā ā are these specs also implemented in your PR?
The salt is the email, so we donāt directly influence how many bitās it has. Since it has to be at least 8 bytes, I had to update it to be the SHA256 hash of the email such that even very short emails will work correctly. So it is 32 Byte i.e 256 bit.
Tag size = hash size. This is 32 Byte (or 256), same as for PBKDF2.
The last 2 Pull-requests have now been merged!
I saw comments about that WASM support is only affecting old browsers, in this thread and other KDF related threads.
Please be aware, there are modern web browser setups where WASM is disabled by default. Reliance on WASM is not that an optimal solution and I imagine it will break some clients.