Just as an FYI, typically the entropy of your master password is considered to be of the most importance even more so than the factor of KDF iterations or the function used.
Currently there are Enterprise Policies to allow for an Org to enable Master Password Requirements which helps to ensure that users’ master password in an Org are at least of some length and/or complexity.
Perhaps though once Argon2 and other KDF methods are integrated into the product this may be another Enterprise Policy the team could look to have configured so Organizations could be configured with the security they deem necessary across their user base.
Overall good request though
Aware of this - I’d also like to be able to configure the master password policy to require (or at least strongly recommend) a passphrase, like you can do for the password generator policy. What I’d primarily want to avoid with the suggestion is getting into situations where old accounts had something like 5000 KDF iterations - way, way below current recommendations, without anyone knowing. At the very least let us report on the iteration values used in in the org so we can instruct users accordingly.
I see that “Expanded Enterprise Policies” is on the roadmap for 1H23. Does this milestone include setting minimums for “Encryption key settings” in user’s web vault under Account Settings > Security > Keys?
KDF algorithm: Argon2id
KDF iterations: 16
KDF memory (MB): 128
KDF parallelism: 8
Hey there, the default for new account encryption has been increased based on most recent OWASP recommendations. The best protection for a Bitwarden account is still a strong/unique password with 2FA. Your feedback has been passed along to the team