Moving away from PBKDF2

Security Now podcast did a follow-up to the last episode on the LastPass debacle and one of the things that Steve Gibson mentioned is that vault providers need to move away from PBKDF2 and the number of hash iterations to an algorithm that is resistant to GPU attacks. He said that he researched this topic when he was doing SQRL and chose scrypt.

My question is "Does Bitwarden need to move away from PBKDF2 to something like scrypt?


This may be coming soon:


There was already a pull request for Argon2 a few months (years?) ago. Anyway, I‘d still prefer Argon2 over Scrypt, but open to other opinions.

But let‘s all agree that it‘s important to bury PBKDF2 for good.

Edit: As Steve said: „If you want to dodge a train, don‘t run along the tracks, just step aside.“ (or something like that :sweat_smile:)


Hey, after scrypt support is done I was considering looking at implementing argon2 support aswell. Do you have a link to this argon2 pull request? A quick search on GitHub didn’t result in much: Pull requests · bitwarden/clients · GitHub and Pull requests · bitwarden/jslib · GitHub


Working on it. :+1:


I think it‘s that one, but be advised, it‘s a bit older :sweat_smile:

Yeah I saw this fork as well but there are not actually any commits implementing anything as far as I can see. So seems like it didn’t work out at the time.


Ah, sorry, my bad.

Maybe BW Mgmt could allow their members to select between the two algo’s mentioned above? We are all adults (hopefully) and can make our own selections. If someone is on an ancient piece of hardware and prefers to stay with the current setup they could be allowed to ---- generally speaking that would be a mistake except if using a fossil piece of hardware.

This is a great thread and I really hope it goes somewhere.

1 Like

The framework for selecting different hashing algorithms already exists in the code, it’s just that there is currently only single option available to choose. If this PR is merged, then there will be two options.


I feel like this should be a priority. Microsoft moved to Argon2 in 2018 I believe and google uses scrypt. Whichever one gets used is fine but need to move away from PBKDF2. Argon2 in 2015 won the Password Hashing competition, 2018 Approved by NIST, 2019 recommened by ENISA and 2020 by OWASP.

If it isn’t obvious I vote Argon2 but I’ll take scrypt.

From what I understand scrypt is better for single computer brute forces but Argon2 is better for protection again botnets.

I’d like to add no matter what KDF is used there is no substitute for strong passwords. I’d take no KDF with a strong password then a weak password with kdf. It’s all about mitigating risks and doing the best you can.

1 Like

Is there any Argon2 support available in javascript?
If not then that would explain the holdup.

There is support for Argon2 in JS. Crypto-Js is probably the most common library that will allow you to do this but there is also argon2-browser.

1 Like

I forgot to mention that I have been using LUKS2 and Argon2id for these same reasons on my other important stuff. Its easy to employ and so why not take advantage of newer and much stronger crypt features?

1 Like

Yeah we want to. We want it implemented in the next feature release

1 Like

Sounds like Bernd may have found himself two helpers to assist with the PR… :rocket:

Are actual dates for feature releases? (Like patch Tuesday for example)

Typically new releases every 5 weeks, last one was Jan 10th.

1 Like