Best Argon2id settings?

Hi Everyone,

I have switched from Last-Pass to Bit-Warden for obvious reasons, only then did I see it was a much more informative, safer, and more extensive (advanced options) extension available compared to Last Pass, and as a password manager.

I have decided to go from the OWASP’s recommendation of 350,000 iterations of PBKDF2 to Argon2id - I have an old (but reliable) Sandy-Bridge i5 (quad) @ 4.4Ghz and 14GB of DDR3 RAM @ 1600Mhz with a Samsung SATA SSD - nifty for 14 years old haha, anyway, jokes aside, it says one should double the ‘parallelism’ of your CORE COUNT (4) so Parallelism is set at 8, ‘Iterations’ at 4 and memory at ‘350MB’ - it takes about 2–3 seconds to log in on PC - is this safe with over 20 digits master passwords with high entropy? (and all other passwords are more than over 20 digits with high entropy, each unique)

  • is it true that if it takes 2–3 seconds to log in, it’s going to be extremely hard to crack>

many thanks in advance for your help and advice,

Unlike PBKDF2, Argon2 is also memory hard which makes it so that the algorithm scales very badly on GPUs and ASICs. Thus, 2-3 seconds of argon2 are much better than 2-3 seconds of pbkdf2. So yes, the setting is totally fine. That being said, with a 20 digit high-entropy masterpassword you are safe, even at a very low pbkdf2 iteration count.

1 Like

In this case, though, entropy may be in the eye of the beholder. I am doubtful that @DUD3 has memorized a 20-digit master password that is actually random, so he probably doesn’t have a valid basis for claiming that the password is “high entropy”.

@DUD3: Did you actually generate your password using a cryptographically secure pseudo-random number generator (or using a true entropy source, such as dice throws)?

@Quexten - Thanks for your reply, its good to know.

@ grb - yes, I do memorize over 20 digit passwords for over 200 sites (even though they are in Bit-Warden simply for ease and speed, each password unique (to each other) using ‘memorized’ algorithms - that’s alI can say without revealing all my techniques and procedures, in which hackers could in-cooperate into their scanning and decryption software when read.

–“Why Bother with BW then?” will probably be your next question: simple, for ease/speed and if I’am using a mobile or PC that doesn’t have it, then I can STILL log in.

ways and methods my friend, ways and methods.

EDIT: @DUD3: Did you actually generate your password using a cryptographically secure pseudo-random number generator (or using a true entropy source, such as dice throws)?” No its not entirely random, but almost is, not the highest entropy you can get, its very high though as I know what makes entropy higher, all 4 digits, never repeat the same digit or upper/lower/number/symbol after one + more

cheers

@DUD3 — you left out the most important part of my comment:

You skirted my question about whether your master password was generated using a CSPRNG or true entropy source, but said:

It seems as though you don’t have a clear understanding of what entropy is. Certainly the following descriptions have little to nothing to do with entropy:

Each such rule actually reduces entropy.

If you want a master password that is guaranteed to make your vault uncrackable (as opposed to your “ways and methods”, which offer no such guarantees), then use a randomly generated passphrase of 4-5 words.

… and if I understand @DUD3 correctly, he/she doesn’t speak of the master password, but of around 200 passwords for all the accounts! I can’t imagine, that these are random (as you explained, @grb ) and unique (!) and memorizable (random, unique and high entropy [and more than three to five such passwords, I guess] don’t go along with memorizable - which is why we use password managers, I assume :sweat_smile:). And I agree, that the mentioned “password rules” reduce the entropy.

My comments were in reaction to the following description of OP’s master password:

@grb Right. Sorry. I should have written “he/she doesn’t speak only of the master password”.

People memorize thousands of pi digits, why memorizing 20 random digits is somehow unthinkable?

@mkrasnenkov I didn’t say it was unthinkable, I said that I was doubtful. And it turns out that my doubts were justified.