Organizations: Let admins determine KDF iterations for users

We are in the process of onboarding an organization and I would like to be able to set a security baseline by having a default KDF iteration count for all accounts on the organization level.

Feature name

  • Provide a way for an admin to configure the number of minimum KDF iterations for users within an organization.

Feature function

  • Allows admins to configure their organizations to comply with change in recommendations over time (as hash compute capabilities increase, so does the need for increasing KDF iterations).
  • Enforce a re-encryption of vaults at next user login for accounts that are not compliant, after changing the value in the admin settings
  • Optional: Add a validation on users’ profiles so they can apply a higher iteration count than the organization default, but never a lower one.

Having the ability to set the default for new users would be a primary request, while changing existing values and having the new value apply for existing users could be a secondary goal.


Just as an FYI, typically the entropy of your master password is considered to be of the most importance even more so than the factor of KDF iterations or the function used.

Currently there are Enterprise Policies to allow for an Org to enable Master Password Requirements which helps to ensure that users’ master password in an Org are at least of some length and/or complexity.

Perhaps though once Argon2 and other KDF methods are integrated into the product this may be another Enterprise Policy the team could look to have configured so Organizations could be configured with the security they deem necessary across their user base.
Overall good request though :slightly_smiling_face:

1 Like

Aware of this - I’d also like to be able to configure the master password policy to require (or at least strongly recommend) a passphrase, like you can do for the password generator policy. What I’d primarily want to avoid with the suggestion is getting into situations where old accounts had something like 5000 KDF iterations - way, way below current recommendations, without anyone knowing. At the very least let us report on the iteration values used in in the org so we can instruct users accordingly.

1 Like

This is a good suggestion. Controlling the KDF and master password policies, combined, is a compelling feature for IT departments looking to migrate to Bitwarden.

1 Like

This was also requested in this related topic: Managing KDF iterations of organization users as owner

Good suggestion! As since the last version has support for Argon2id, you should be able to force that algorithm via policy.