PBKDF2 vs Argon2 - which is better?

What’s the general opinion of PBKDF2 vs Argon2? Is one superior to the other as far as security? Does one use more resources than the other (and is it even a problem for things like an iPhone)?

Thanks!

In short, argon2 is better. Do beware that iOS auto-fill still seems to cause some issues, so if you use iOS, lower your “memory” setting to 48 MiB.

More technical explanation:
Argon2 was specifically crafted to fix the inherent flaws of compute bounded key derivation functions like pbkdf2. With pbkdf2, you can double your iterations, which will double the time you have to wait to unlock your vault, but also double the time an attacker will take to crack your password (if they have your masterpasswordhash). In contrast to this, argon2 is not just compute-bounded but also memory bounded. This means that - for the same unlock time for you - password cracking will be significantly slower for an attacker attempting to crack your password on a GPU or ASIC, because an attacker cannot run as many instances of argon2 in parallel on a GPU, as they could with PBKDF2 due to memory limitations. This means that for the same unlock time for the user, password cracking becomes orders of magnitude slower compared to pbkdf2.

Does one use more resources than the other (and is it even a problem for things like an iPhone)?

Yes, but only during unlocking. And using resources is specifically the point, as using resources is what makes it secure, since an attacker would have to use the same resources to attempt to crack the password. The resources should not be a problem - even on an iPhone or Android phone. The only edge case is iOS autofill, due to a software restriction that is part of iOS. Hence the recommendation to lower the memory to 48 MiB.

1 Like

So would you recommend waiting before changing? I have 1,000,000 iterations with a password that is two words plus random numbers, letters, and symbols totalling >20 characters.

  1. There is no reason to delay switching to Argon2id (unless you are using old devices that are significantly underpowered, or if your favorite browsers do not support WebAssembly).

  2. Your master password may or may not be sufficiently strong, depending on how it was created. If the two words were randomly selected from a diceware-type list (7776 words), and then supplemented with a random character string consisting of around 5 characters (mixed-case alphanumeric, plus special characters), then you should have sufficient entropy to protect your vault. However, if the words (and the added characters) were not selected with the help of a random number generator (or dice!), then your master password will not be sufficiently strong to withstand a brute-force attack.

Argon2id works like lightning on my S23 Ultra, and the Master Password is over 40 digits long, LOL!!

With the default settings (600,000 for PKDF, and the defaults for Argon2), the vault unlocks faster with Argon2 on my 2 year-old low-end Android phone, with better protection. From that point, I am bought.

I’m assuming I’ll have to re-enter master password and 2FA if I change to Argon2?

Yes, any changes to the Account Security settings will deauthorize all logged in sessions, requiring you to authenticate again.

So default Argon2 settings is still more secure than PBKDF2?

Default Argon2id settings are more secure than the default PBKDF2 settings.

So, the Argon2 is better than PBKDF2 but a lot slower on vault unlock operation? Can anyone share estimations on how much slower (with default settings)?

I have a lot of passwords, and the current PBKDF2 unlocking is already pretty slow that’s annoying, so I am afraid to get it even more slower after switching to modern Argon2 :confused:

I didn’t notice any difference at all. Have mine set for Argon2id, 3 KDF iterations, 64 KDF memory, and 4 KDF parellelism. I think this is the default.

Use it on iPhone 15 Pro, MacBook Air M1, Mac Studio M1 Max, iPad Pro (fairly old one, one of the first introduced), and Windows 11 machine (Dell Inspiron 7700). All computers use it with Chrome and MBA/Mac Studio also have the standalone app.

The effect of KDF on unlock speed is independent of the number of items in your vault, since the KDF is only used to extract the account encryption key using your master password. The decryption of your vault contents using the account encryption key always happens after the KDF algorithm has been completed.

One disadvantage of PBKDF2 over Argon2id is that the former only has one adjustment parameter (the number of iterations), and the cost (in terms of key derivation time) increases in equal proportion for you and your attacker as you increase the number of iterations. In contrast, using the Argon2id memory setting, you can disproportionately penalize an attacker by increasing the memory cost. Thus, compared to PBKDF2, you may benefit from setting iterations to a low value (e.g., 2), and increasing the memory setting until you get a reasonable unlock time. If you set iterations=2, parallelism=1, and memory=19 MB, then the cost to an attacker is equivalent to what you will get with the default PBKDF2 setting (600000 iterations). Start from there and increase the memory setting if possible without degrading your unlock time.

Slower is very dependent on settings. At the same brute-force resistance, argon2 unlocks much faster. You can of course make it much slower by pushing the settings much higher, but either way, the trade-off between unlock time, and cracking resistance, is better in all cases on argon2.

The effect of KDF on unlock speed is independent of the number of items in your vault, since the KDF is only used to extract the account encryption key using your master password. The decryption of your vault contents using the account encryption key always happens after the KDF algorithm has been completed.

Very good note, albeit to clarify since some users get confused here: For most users, 90%+ of unlock time is the KDF - since more unlock time also necessitates slower brute-forcing. Some users with a lot of entries (500-1000+) will notice this time added on top (not scaled with KDF parameters as you point out).

And, as you point out, with argon2 you can use memory to slow down brute-forcing, while not affecting unlock time (if you in turn decrease iterations).

Thanks! Switched to argon2 and seems it’s faster on unlocking, great!

1 Like