Has anyone solved this issue before? I click on the button, it takes me to my Keys page, and then I click “Change KDF” - that asks me to authenticate, which logs me into BitWarden again, and I am back to my home page where I get the warning. Endless loop - rinse and repeat.
The weird thing is, even though I click “Remember me” it never does. I am not in a private browsing tab, and I am allowing cookies. It always asks for username, password and 2FA.
What you’re describing doesn’t sound like the expected behavior (unless you’ve left some details out).
When you click Change KDF (which you should do after you have updated the KDF settings on the " Encryption key settings" form), then it should display a modal pop-up that prompts you for your master password (which is not the same as an authentication prompt). If you enter your master password and click Change KDF in the pop-up, you will be logged out of the Web Vault (and all other sessions). You should also (briefly) see a confirmation message stating that the new KDF settings were saved:
True, I get the modal authentication popup, but after entering my authentication (username, password, 2fa), I get redirected back to the vault with the same warning at the right. And it is interesting to note that I check off “Remember me,” however it still asks for all 3 elements of authentication each time.
You’re welcome. There is some fine print below the KDF settings that say “We recommend a value of 600,000 or more”, but you’re right — it may not be obvious at first glance that this is what is required to remove the “Low KDF” warning.
I think that an information icon with a small popup would also be necessary to make this a user-friendly experience. I have struggled with this myself, looking up wikipedia pages about this topic because I had no clue at all. I read somewhere on a forum that most Android 8+ devices can easily handle 600,000 and that 900,000 really does not slow down your device even though it sounds like a lot.
It would be better if Bitwarden added more recommendations here. Like all open-source projects: the amount of control that is assigned to users is absolutely astonishing, but this can cloud the average user experience.
Also some information about newer better algorithms like Argon2id would be useful.
For example: my Intel i5 laptop together with my Android 13 smartphone and Android 10 tablet easily support the same KDF setting. A setting of KDF algorithm: Argon2id - KDF iterations: 8 - KDF memory (MB): 96 - KDF parallelism: 6 has always worked thus far. Bitwarden has never crashed, none of the three main devices has ever slowed down when I started the Bitwarden Android app or web extension besides my other apps/programs. This offers even more security and goes to show that a range of devices (not older than 5 years) can easily support more heavier solutions. As long as we remain a bit realistic of course.
Honestly, it’s a minor thing. BitWarden is such a great and needed product, I rely on it constantly every day, across Windows, Mac, Linux and iOS devices. But being a lifelong software developer, I do have an evangelistic tendency to advocate for the best UX.