Increasing the default number of PBKDF2 for existing accounts

Just to note on this point, that there is a feature request for those wishing to add their support for this to be an Organization enterprise policy.

But as was mentioned new users will be set up with the default 600,000 and anyone under that will get the warning to increase their iteration count.


For those wondering, my personal account was Aug of 2017 and was set to 5000 till now. I had no idea it was that low until the warning popped up. Warning is only in the web vault, which I rarely use.

My corporate account was at 100,000 and that was made in 2022.

Agreed that a enterprise control is needed and voted on the above idea.

1 Like

Similar situation to @martin.tig and am very disappointed by the way this was handled.
Putting a warning in the web vault is not enough to alert users to this. In my opinion, visiting the web vault is not the normal way to use Bitwarden so this is not an appropriate way to notify users.
There should be a warning in all the clients at least, and ideally an email notification as well.
The warning should be more urgent - I think most users would be confused or put off by counter-warnings about performance, and would probably ignore it.
To properly address this requires users to: 1) understand what key derivation is, 2) check and understand OWASP recommendations, 3) backup their data, 4) iteratively increase their iterations as recommended. I think this is a tall ask - this is the kind of thing non-experts expect their password manager to do for them.
It does not even tell you in the web vault what the minimum recommended iterations is, and does not suggest you change to Argon2 and why you might want to.
It makes Bitwarden an unsuitable product for regular people – which is what I thought it was supposed to be?