Argon2id settings

Hello guys !!

I have cranked up the argon2id settings to max, 1gb, 10i, 16p. Is having the parallelism high makes the password cracking more easy or more difficult ?? I’m not sure if I understand it correctly.

On my windows pc, on the desktop app, browser extension and the web interface it takes around 10 seconds to login. On my android phone the app it takes 10 seconds too, only the web interface takes a long time (50 seconds), but I don’t mind it.

I have a 6 words random passphrase from bitwarden generator with 101 bits of entropy (according to keepass)

Is this setup good ?? I want to make it as uncrackable as I can.

“more easy or more difficult”

More easy.

“I have a 6 words random passphrase from bitwarden generator with 101 bits of entropy (according to keepass)”

KeePassXC says it is only 77.55 bits of entropy. Therefore, it’s considered Good, not Excellent.

The problem with entropy calculators is that if you put your passphrase in an entropy calculator that thinks it’s a password, the entropy it says you have is going to be artificially high.

In my opinion, 77.55 bits of entropy is not high enough for a master password if your objective is as you say:

“I want to make it as uncrackable as I can.”

Even for websites I like at least 90 bits of entropy. For a master password protecting the whole database, and intended to do so for many years to come, I feel entropy should be above 130 bits.

What do you mean it 77.55 ?? I checked my own password in keepassxc and it says that it’s 101. I will add seventh word in the future, then maybe it’ll be around 130 bits.

As for the argon2id settings what do you propose to make it more secure ?? Isn’t my settings good ?? Do I need to lower the parallelism ??

“What do you mean it 77.55 ?? I checked my own password in keepassxc and it says that it’s 101. I will add seventh word in the future, then maybe it’ll be around 130 bits.”

Check it using the passphrase option, not the password option. KPXC says all 6-word passphrases have 77.55 bits of entropy.

“As for the argon2id settings what do you propose to make it more secure ?? Isn’t my settings good ?? Do I need to lower the parallelism ??”

Drop parallelism to 1 and iterations to 5. See how that works. Most of your anti-cracking strength should come from the password/passphrase.

Since you want maximum security, you need a stronger password/passphrase.

@bep1995 Your setup is already plenty secure.

@Herc is correct about your passphrase having “only” 77.55 bits of entropy, but this is plenty strong for a Bitwarden master password.

Even if you were using the default KDF settings (600,000 iterations of PBKDF2-SHA256) instead of Argon2id, it would take over 200 billion years to crack your password using a single GPU. The Argon2id algorithm (especially with the high memory setting you are using) is going to slow this down even more (around 10–100 fold, I would guesstimate).

If you wish to further strengthen your KDF to support your psychological well-being, then lower the parallelism.

1 Like

Did you pick this number out of a hat? Compared to the 50 bits we normally recommend for the vault password, it is excessively high. How did you arrive at 130 bits (as opposed to 100 bits or 200 bits, say)?

In the KeePassXC audit (KeePassXC Audit Report – KeePassXC), the auditor writes:

“Configure KeePassXC to generate passwords that are at least 20 characters long.”

That yields entropy above 110 bits.

For a master password protecting my entire database of highly sensitive information, I want substantial overkill for peace of mind.

I checked my password not in the generator but in the field when you choose your master password. In the generator it says 90.47 maybe because I chose a word separator and a capital letter for each word. I want to make it unbreakable but above 6 or 7 words I think it’s too much.

@grb So, you say that my kdf settings are good.
Maybe I will drop the parallelism from 16 to 14 or 12. I will see.

I drop it to 10, so I have 1gb, 10 iterations, 10 parallelism.
I think I’m happy with these settings.

The 20-character recommendation is to attain max entropy for a 128-bit hash or 128-bit encryption. That recommendation is fine for passwords stored in your password manager, provided that the website you are logging in to does not have a password length restriction that is lower than 20 characters. However, 128 bits of password entropy is still overkill for such applications, as it would require over 1019 years/GPU to crack such a password even if hashed using the trivial NTLM algorithm; nonetheless, it does not cost anything to use such passwords if stored in a password manager (provided the website you are logging in to does not balk at this password length), so why not? Likewise, if a website correctly handles even longer passwords, why not use a 40-character random password string, for 256 bits of entropy?

These recommendations to not apply to your vault password, because well-designed password managers (like Bitwarden) use a slow hash function to limit the rate at which brute-force attacks can be carried out. Specifically, the default KDF settings for Bitwarden (600,000 iterations of PBKDF2-SHA256) reduce the hashing speed to 15,000 password guesses per second on a top-of-the-line GPU (the $1800 RTX 4090). For context, the NTLM hashing algorithm allows for password hashing at a rate of 288 billion guesses per second on RTX 4090 GPU, so the time to crack a vault master password is about 20 million times longer than the time to crack a website account password that has been hashed using the NTLM algorithm.

We don’t usually know what hashing algorithm is used by websites where we have accounts, so there it makes sense to use excessive entropy (to make up for the possibility of an outdated hashing algorithm that doesn’t slow down cracking attempts by a meaningful amount). In contrast, we do know what hashing algorithm is used by Bitwarden, and we even have the ability to customize the algorithm to make it significantly slower (which is what @bep1995 is doing) than the already slow default configuration. For this reason, we are able to use a lower-entropy master password for the Bitwarden vault, which makes memorization and manual typing of the master password tractable.

Therefore, the standard recommendation for a Bitwarden master password is to use a random 4-word passphrase (52 bits of entropy). If you are concerned about “steal now crack later” threats, then use a passphrase containing 5–7 words (one extra word for every 25-years of future-proofing against attacks using conventional computers that have improved over time according to Moore’s Law), or use an 8-word passphrase to protect against future cracking attempts using quantum computers.


So, if I use a 6 word passphrase I’m good for the next 50 years ??

Yes, they are much higher than needed. I would guesstimate that the cracking rate for your Argon2id configuration is around 1000 password guesses per second (for one GPU).

If you imagine a crazy scenario in which a network of a million GPUs are collaborating to crack your master password, then the combined guessing rate of this network would be 1 billion guesses per second. If this GPU network is computing continuously for 1000 years (racking up billions of dollars in electricity costs in the process), then it could still only check 3×1019 different password guesses. If you are using a 6-word passphrase, then the number of possible permutations to test is over 2×1023. Therefore, the probability that they find your master password in that 1000-year time period is less than 0.0015%.

1 Like

Probably closer to 60–80 years with your current KDF settings.

@grb I will be dead in 60-80 years. I dropped the parallelism to 10 from 16 as I said in the update in my previous post. So maybe I’m good for 100 years.
But with the rapidly change of the technology, you never know.

grb, if all you say is true, why do so many well-informed people balk at storing password databases and password database backups on cloud accounts?

You make it seem so easy to protect one’s prized data from attackers, yet I’ve encountered many knowledgeable people afraid of keeping their database on a cloud account.

Do they just not understand the math?

Edit: Bruce Schneier understands the math, and yet says:

“My particular choices about security and risk is to only store passwords on my computer—not on my phone—and not to put anything in the cloud. In my way of thinking, that reduces the risks of a password manager considerably.”

One reader in the comments says: “Bruce’s advice makes a lot of sense. Cloud and mobile are too dangerous to trust with such extreme information.”

Another: “I do keep backups, but not in the cloud. And I don’t save passwords on my phone.”

Another: “My password vault never enters the cloud.”

One more: “The whole concept of cloud storage is utter madness to me, from a security perspective. I would not store anything on the cloud that needs to be kept confidential–that is, unless you are an expert.”

I understand the reason that some people don’t want their passwords to be on the cloud.

But why they don’t want their passwords on their phone ?? How the heck I will login on dozens of websites if I don’t have the passwords ??

I think one factor that answers that question is, they can live without having the passwords on the phone.

A generalized answer is, not everybody is the same. As the link in the Schneier’s article ( Before You Use a Password Manager | by Stuart Schechter | Medium ) says:

I cringe when I hear self-proclaimed experts implore everyone to “use a password manager for all your passwords” and “turn on two-factor authentication for every site that offers it.” As most of us who perform user research in security quickly learn, advice that may protect one individual may harm another. Each person uses technology differently, has a unique set of skills, and faces different risks.

Some people may not like their most valuable possessions on the phone because it can be lifted while it is unlocked, or you can be forced to also hand over the locking mechanisms.

Do you have reason to believe that any of it might not be true? If you need a source cited for anything I’ve written, let me know.

I can’t account for why people hold on to irrational beliefs. Bruce Schneier’s blog post simply states, with no justification or rationale, “My particular choices about security and risk is to only store passwords on my computer—not on my phone—and not to put anything in the cloud. In my way of thinking, that reduces the risks of a password manager considerably”. This non-sequitur assertion is not convincing.

The linked blog article by Stuart Schechter does not seem to make any recommendations about avoiding cloud storage.

I scanned the comments and noticed at least two users who were happy storing their passwords in Excel spreadsheets. So that may say something about the level of sophistication of the commenters.

I read/skimmed Schechter’s blog article, and the key take-away seems to be: password managers may not be a good idea for you, if you are likely to get malware on your devices or to lock yourself out of your vault.

I would summarize the key takeaways as: password managers solve some security problems, but they may make the user more vulnerable to others. He lists these problems in the subsection “Password managers can also put passwords at risk”: losing master password, attacks on unlock including malware, others with administrative access to your machine, unprotected devices, thieves that can attain unlocked access, and PWM software vulnerabilities.

Although I think the piece is likelier to discourage people unfamiliar with the benefits of using a password manager, he has many good points. Some of these points are often subjects of discussions in forums like this.

To be clear (in the context of the discussion in this thread): None of the points made amount to any kind of warning against using cloud storage for passwords.