We are in the process of onboarding an organization and I would like to be able to set a security baseline by having a default KDF iteration count for all accounts on the organization level.
Feature name
Provide a way for an admin to configure the number of minimum KDF iterations for users within an organization.
Feature function
Allows admins to configure their organizations to comply with change in recommendations over time (as hash compute capabilities increase, so does the need for increasing KDF iterations).
Enforce a re-encryption of vaults at next user login for accounts that are not compliant, after changing the value in the admin settings
Optional: Add a validation on users’ profiles so they can apply a higher iteration count than the organization default, but never a lower one.
Having the ability to set the default for new users would be a primary request, while changing existing values and having the new value apply for existing users could be a secondary goal.
Just as an FYI, typically the entropy of your master password is considered to be of the most importance even more so than the factor of KDF iterations or the function used.
Currently there are Enterprise Policies to allow for an Org to enable Master Password Requirements which helps to ensure that users’ master password in an Org are at least of some length and/or complexity.
Perhaps though once Argon2 and other KDF methods are integrated into the product this may be another Enterprise Policy the team could look to have configured so Organizations could be configured with the security they deem necessary across their user base.
Overall good request though
Aware of this - I’d also like to be able to configure the master password policy to require (or at least strongly recommend) a passphrase, like you can do for the password generator policy. What I’d primarily want to avoid with the suggestion is getting into situations where old accounts had something like 5000 KDF iterations - way, way below current recommendations, without anyone knowing. At the very least let us report on the iteration values used in in the org so we can instruct users accordingly.
This is a good suggestion. Controlling the KDF and master password policies, combined, is a compelling feature for IT departments looking to migrate to Bitwarden.
I see that “Expanded Enterprise Policies” is on the roadmap for 1H23. Does this milestone include setting minimums for “Encryption key settings” in user’s web vault under Account Settings > Security > Keys?
e.g.
KDF algorithm: Argon2id
KDF iterations: 16
KDF memory (MB): 128
KDF parallelism: 8
Hey there, the default for new account encryption has been increased based on most recent OWASP recommendations. The best protection for a Bitwarden account is still a strong/unique password with 2FA. Your feedback has been passed along to the team
