"Low KDF Iterations" warning - what should I do?

When I sign into vault.bitwarden.com, everything works fine except I see “Low KDF Iterations” in the upper right corner. Searching on this Forum, I have seen messages with many comments, but it’s not clear whether they worked or not.

I presume this “low iterations” message has something to do with the strength of the encryption, and that increasing the iterations would strengthen it. But this is my wife’s account, and I am not allowed to break it :slight_smile: So:

  1. Could I get a short description of what the fix for “low KDF iterations” involves, and the risk to the wallet that it entails? Will it affect communication between my wife’s macOS app and the iPhone app?

  2. Could I get a simple set of instructions for resolving “low KDF iterations” using vault.bitwarden.com from the web browser?

Many thanks.

This just means that your wife needs to update her account settings.

There is a very small chance that something could go wrong while doing the update, so out of an abundance of caution (since breaking your wife’s account could be a problem), you should export a password-protected backup copy of her vault contents and take some additional precautions before you start.

Creating an Export:

  1. Log in to your wife’s account on the Web Vault (vault.bitwarden.com).
  2. Click on Tools in the top menu bar.
  3. Click on Export Vault in the left-hand navigation menu.
  4. In the dropdown menu under File Format, select the option .json (Encrypted).
  5. You will now see two options for Format Type: select Password-Protected (it is very important that you don’t select Account-Restricted).
  6. Choose a strong password for the backup (use the Bitwarden Password Generator if you like), and enter it into the input fields File password and Confirm file password. Write down this password in a safe location, so that you don’t lose it!
  7. Click Confirm Format.
  8. When prompted (in a window titled Confirm Vault Export), enter the Bitwarden Master Password (not your backup password).
  9. Click Export Vault button. You should see a green alert box in the upper right corner of your browser window, with the message “Vault data exported.”
  10. Go to your Downloads folder, and look for a file named something like bitwarden_encrypted_export_20230612204532.json. Move this file to any location where you will be able to access it later. The file is encrypted, so you do not have to worry about hiding the file.

In addition, if you have file attachments in your vault, locate these by typing the following expression in the vault search bar:

>attachments:*

Then, download each attachment (as file attachments are not included in the vault export), and make a note of which vault item each file was attached to. If you are concerned about the security of saving these files in decrypted form on your computer, you will need to take special measures (which I won’t detail here, unless you ask).

Finally, if your wife uses the Bitwarden Send feature, then take any necessary actions to preserve or re-create any currently active Sends (as Sends are not included in vault exports and would be lost should something happen to the account).

Additional Precautions:

In case you don’t already have it, you should get your two-step login recovery code. While still logged in to the web vault, click the profile avatar in the upper right corner, and select “Account Settings” from the dropdown menu:

 

In the Account Settings section, select Security in the left-hand navigation menu, and then click the top tab that is labeled “Two-step Login”:

 

In the Warning box, click the View recover Code button, and enter your wife’s Master Password when prompted. This will display a 32-character code, which you should print out or write down in a secure location (e.g., your Bitwarden Emergency Sheet).

While you’re on the “Two-step Login” tab, look through the list of “Providers”, and ensure that you see a green check mark ( :heavy_check_mark: ) on at least one of the listed provider options. If not, you’ll have to have a talk with your wife about the importance of two-factor authentication.

Updating the KDF Settings:

Having taken the above precautions, you’re now ready to make the KDF update that will address the “Low KDF Iterations” warning.

While still on the Security page of the Account Settings section, click the top tab that is labeled “Keys”. This will take you to a screen titled “Encryption Key Settings”.

In the “Encryption Key Settings” screen, change the value of “KDF Iterations” from 100000 to 600000, and then click the Change KDF button:

image

 

You will be prompted for the master password at this point, after which you can click the Change KDF button in this final prompt:

image

 

:warning: Important: Please warn your wife that she will be logged out of all of her Bitwarden apps when you complete this step. To resume using Bitwarden, she will need to log back in to her account on all Bitwarden apps on all of her devices.

Note: The Warning box on the final prompt (shown in the screen shot above) includes the statement “You will need to log back in and complete two-step login setup.” This statement is incorrect, and can be disregarded. What that sentence should say is something like “You will need to log back in (and complete two-step login, if set up)” (see discussion here). Bitwarden plans to change the sentence to “You will need to log back in and complete two-step login, if any.

Just an addition to @grb: Beside the option to set higher KDF iterations (with PBKDF2), another option would be to change the KDF algorithm to Argon2id with the standard settings. (as I understand it, Argon2id is the more secure option in the long run and maybe recommended anyway)

1 Like

Exactly, if you’re already going to change your KDF algorithm, you might as well choose the more secure option from the two.

@Nail1684 @PossibleGhost The reason I didn’t suggest switching to Argon2id is that @richb-hanover is under strict instructions not to break any functionality for his wife. Because she uses the iPhone app, the default settings for Argon2id could result in memory errors. Preventing these would require further tweaking of the KDF settings, and my instructions were already quite lengthy, so I thought this could wait.

@richb-hanover If you want to use Argon2id for your KDF algorithm, then change the default value of the Memory setting from 64 MB to 48 MB, and change the default value of the Iterations setting from 3 to 4.

 

There is nothing “less secure” about the PBKDF2 algorithm. The problem with PBKDF2 is that when computing technology advances to accelerate KDF calculation speeds (making it easier for password crackers), the recommended PBKDF2 iterations required to thwart an attack will begin to negatively impact the user as well (by noticeably delaying the unlock and login times); however, I don’t expect this to become an issue for another 5 years or so.

The benefit of the Argon2id algorithm is that it provides different types of settings for increasing the cracking time (memory and parallelism, in addition to iterations); this makes it possible to disproportionately slow down a password cracker without unduly delaying the user’s login and unlock time.

I disagree. The PBKDF2 algorithm is clearly less secure compared to Argon2. This is similar to how MD5 is also inferior to PBKDF2. We can also compare the current cracking time of master passwords using the default settings of both algorithms and even though both would be sufficient if the master password is strong enough, Argon2 would still require a lot more time to crack. Also, if a user has chosen a weak master password, it could be that Argon2 could still protect their vault, while with PBKDF2, the game could soon be over.

No, the algorithm is not less secure. If you use the OWASP-recommended settings for both PBKDF2-HMAC-SHA256 (600k iterations) and for Argon2id (19 MB, 2 iterations, and parallelism 1), then both algorithms will throttle hash calculation speeds to 10 kH/sec/GPU.

The source of confusion is that Bitwarden uses the OWASP recommended settings as the default for its PBKDF2 algorithm, but Bitwarden’s default settings for its Argon2id algorithm are actually stronger than the OWASP-recommended settings for Argon2id. Specifically, Bitwarden uses Argon2id default settings recommended by RFC9106, with 64 MB memory (instead of 19 MB as recommended by OWASP), 3 iterations (instead of 2 as recommended by OWASP), and parallelism of 4 (instead of 1 as recommended by OWASP).

The data set that you linked is a bit misleading, because it uses Hashcat for PBKDF2 hashing and JohnTheRipper for Argon2id hashing, but even if we take the results at face value, it says that Bitwarden’s default settings for Argon2id are about 70× slower that Bitwarden’s default settings for PBKDF2. Thus, if the number of iterations for the PBKDF2 algorithm was increased to 43,000,000, then the two algorithms would be equally effective at slowing down a brute-force attack.

@grb This is a fantastic answer. It worked perfectly for me and has exactly the level of detail I was seeking. As an admin on another Discourse server, I am tickled when people submit posts of this caliber. Thank you!

As I review your post, I see that it’s really three separate topics:

  1. Export your vault. This creates a local backup against the tiny possibility of error. And it’s a rational thing to do from time to time, even if you’re not monkeying around with backend encryption stuff…

  2. (Important, but optional) Make sure the two-step login recovery is in place.

  3. Actually changing the KDF iterations.

If you had the time/strength, would you consider creating three new topics from it?

That way, no one else will need to write “how to export a vault” again. They can simply refer to your post.

Similarly, there would then be a Two-step Login Recovery post.

And finally, the “Low KDF Iterations” post gets short - it just says, do number 1, do number 2, then do these steps to increase the KDR iterations.

Thank you again!

PS I’m flagging the admins to ask that they close this thread since the answer is perfect.

1 Like

Thanks for the kudos. You’ve marked the topic as solved, so no need to close the thread, in case other users have follow-up questions (or want to continue the side-discussion about KDF algorithms).

The forum unfortunately doesn’t have a good way of creating “archival” posts/responses for use in a FAQ or for future reference. As long as I remain active in the forum, I have a decent recollection of things I have written previously, and will either link to those responses or copy and paste from the earlier response.

Just some notes from my perspective: The OWASP guidelines are targeted for hashes of website credentials for authentication, not KDF derivation of password managers. I would argue the latter has a much higher likelyhood for high-value targets (users known to have crypto wallets, cross referenced by email, unencrypted credential creation timestamps, etc), thus requiring more resistant settings compared to a regular website.

The defaults of Bitwarden are - as you point out - the conservative - but safe - defaults of the Argon2 RFC 9106. The regular defaults of the RFC are not feasible on mobile devices.

About the “more secure/less secure” part. This really depends on how you define security. Instead of more/less secure, I would re-frame it to: Argon2 has a better user unlock-time to attacker cracking-time trade-off. For the same user unlock time, Argon2 has a much (orders of magnitude, depending on a few parameters) better resistance to cracking on GPUs and FPGAs. Thus, it makes sense to switch to it in nearly all (except for incompatibility due to f.e no WebAssembly support) cases.

Thus, if the number of iterations for the PBKDF2 algorithm was increased to 43,000,000, then the two algorithms would be equally effective at slowing down a brute-force attack.

Again, you can increase your PBKDF2 settings that high, but slowing down cracking will one-to-one scale to more unlock time. So - given the same unlock time budget - argon2 could be considered “more secure” (if that’s your definition of security).

1 Like

Thanks for offering your valuable perspective.

My point was that at equivalent settings, the two algorithms are equally secure. The Argon2id algorithm is clearly superior, but not because it is more secure; its main benefit is that it can provide equivalent security to PBKDF2 at less cost (unlock delay) to the user.

Per Moore’s Law, we would not need to use 43,000,000 PBKDF2 iterations until the year 2032 or so, and the same improvements in computing power that will benefit password crackers by then (necessitating the increase in PBKDF2 iterations) would also reduce the user’s unlock time (thus, keeping the unlock time relatively constant relative to today’s delay at 600,000 iterations).

The only sense in which I would say that Argon2id is more secure than PBKDF2 is that because of its lower relative cost to the user, Argon2id can be used to future-proof your vault — by choosing memory/iteration settings that are higher than today’s OWASP recommendations (which is what Bitwarden’s default settings for Argon2id do).