How do I solve the "Low KDF Iterations" warning?

Has anyone solved this issue before? I click on the button, it takes me to my Keys page, and then I click “Change KDF” - that asks me to authenticate, which logs me into BitWarden again, and I am back to my home page where I get the warning. Endless loop - rinse and repeat.

The weird thing is, even though I click “Remember me” it never does. I am not in a private browsing tab, and I am allowing cookies. It always asks for username, password and 2FA.

What you’re describing doesn’t sound like the expected behavior (unless you’ve left some details out).

When you click Change KDF (which you should do after you have updated the KDF settings on the " Encryption key settings" form), then it should display a modal pop-up that prompts you for your master password (which is not the same as an authentication prompt). If you enter your master password and click Change KDF in the pop-up, you will be logged out of the Web Vault (and all other sessions). You should also (briefly) see a confirmation message stating that the new KDF settings were saved:

You should then be able to log in as usual (provided that you actually followed the recommendations and set the “KDF Iterations” value to 600000 if your KDF algorithm is PBKDF2-SHA256).

If the above does not resolve your problem, please post some screenshots (after making sure that you have removed or obfuscated any sensitive information).

True, I get the modal authentication popup, but after entering my authentication (username, password, 2fa), I get redirected back to the vault with the same warning at the right. And it is interesting to note that I check off “Remember me,” however it still asks for all 3 elements of authentication each time.

The modal pop-up should not be asking for username and 2FA. It should look as follows:


Please provide some screenshots showing the steps you are performing and the prompts you are seeing (but be careful to redact/obfuscate any private information contained in the screenshots).

OK this is going to take a while. It is only letting me post 1 image per post, and it is enforcing a waiting period between replies. Bear with me.





[Screen shot redacted by mod.]

@jimer2 The last screenshot that you posted showed your email address at the bottom. To protect your privacy, I have replaced the screenshot with a redacted version that has the email address removed.

In any case, your problem is that in the “Encryption Key Settings” screen, you need to change the value of “KDF Iterations” from 100000 to 600000 before clicking the Change KDF button:


Ah, that was the secret ingredient. Thanks, that was not at all obvious.

1 Like

You’re welcome. There is some fine print below the KDF settings that say “We recommend a value of 600,000 or more”, but you’re right — it may not be obvious at first glance that this is what is required to remove the “Low KDF” warning.

1 Like

I think that an information icon with a small popup would also be necessary to make this a user-friendly experience. I have struggled with this myself, looking up wikipedia pages about this topic because I had no clue at all. I read somewhere on a forum that most Android 8+ devices can easily handle 600,000 and that 900,000 really does not slow down your device even though it sounds like a lot.
It would be better if Bitwarden added more recommendations here. Like all open-source projects: the amount of control that is assigned to users is absolutely astonishing, but this can cloud the average user experience.
Also some information about newer better algorithms like Argon2id would be useful.

For example: my Intel i5 laptop together with my Android 13 smartphone and Android 10 tablet easily support the same KDF setting. A setting of KDF algorithm: Argon2id - KDF iterations: 8 - KDF memory (MB): 96 - KDF parallelism: 6 has always worked thus far. Bitwarden has never crashed, none of the three main devices has ever slowed down when I started the Bitwarden Android app or web extension besides my other apps/programs. This offers even more security and goes to show that a range of devices (not older than 5 years) can easily support more heavier solutions. As long as we remain a bit realistic of course.

Honestly, it’s a minor thing. BitWarden is such a great and needed product, I rely on it constantly every day, across Windows, Mac, Linux and iOS devices. But being a lifelong software developer, I do have an evangelistic tendency to advocate for the best UX.

Exactly, that’s what makes these products better with each iteration.