Increasing the default number of PBKDF2 for existing accounts

Quexten · January 23, 2023, 5:16pm

The default for newly created accounts already has been raised to 350000 a few days ago:

github.com/bitwarden/clients

adjust default kdf iterations to 350k

bitwarden:master ← bitwarden:defaultkdfiter

opened 01:46AM - 16 Jan 23 UTC

kspearrin

+3 -3

https://bitwarden.atlassian.net/browse/PS-2273 ## Type of change ``` …- [ ] Bug fix - [x] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective [Latest OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) suggest at least 310k iterations for PBKDF2 now. This PR adjusts our default to 350k. ## Code changes - **kdfType.ts:** Increase iterations default. ## Before you submit - Please add **unit tests** where it makes sense to do so (encouraged but not required) - If this change requires a **documentation update** - notify the documentation team - If this change has particular **deployment requirements** - notify the DevOps team

Also about argon2 support: This is not a just feature request anymore but a work-in-progress PR. Mobile support is pretty much done, and server client PR’s are close:

Edit: I guess this doesn’t apply to existing users, so is your feature request auto migration that would, f.e prompt the user on sign in, and ask whether the KDFIterations should be updated?