Security Now podcast did a follow-up to the last episode on the LastPass debacle and one of the things that Steve Gibson mentioned is that vault providers need to move away from PBKDF2 and the number of hash iterations to an algorithm that is resistant to GPU attacks. He said that he researched this topic when he was doing SQRL and chose scrypt.
My question is "Does Bitwarden need to move away from PBKDF2 to something like scrypt?
Maybe BW Mgmt could allow their members to select between the two algo’s mentioned above? We are all adults (hopefully) and can make our own selections. If someone is on an ancient piece of hardware and prefers to stay with the current setup they could be allowed to ---- generally speaking that would be a mistake except if using a fossil piece of hardware.
This is a great thread and I really hope it goes somewhere.
The framework for selecting different hashing algorithms already exists in the code, it’s just that there is currently only single option available to choose. If this PR is merged, then there will be two options.
I feel like this should be a priority. Microsoft moved to Argon2 in 2018 I believe and google uses scrypt. Whichever one gets used is fine but need to move away from PBKDF2. Argon2 in 2015 won the Password Hashing competition, 2018 Approved by NIST, 2019 recommened by ENISA and 2020 by OWASP.
If it isn’t obvious I vote Argon2 but I’ll take scrypt.
From what I understand scrypt is better for single computer brute forces but Argon2 is better for protection again botnets.
I’d like to add no matter what KDF is used there is no substitute for strong passwords. I’d take no KDF with a strong password then a weak password with kdf. It’s all about mitigating risks and doing the best you can.
I forgot to mention that I have been using LUKS2 and Argon2id for these same reasons on my other important stuff. Its easy to employ and so why not take advantage of newer and much stronger crypt features?