Pre-Hashing Passwords

OWASP: Pre-Hashing Passwords

I referenced the OWASP cheat sheet for password storage and the pre-hashing of passwords, after reviewing the BitWarden cli/jslib source code, as a means to further secure the master password and subsequent hash and encryption key generation.

The enforcement of strong passwords in v1.8.0 is laxed, and should be addressed. An alternative would be to pre-hash the master password with SHA-256, then iterate the result with a stronger algorithm, such as ARGON2. Pre-hashing provides uniform password lengths, devoid of special characters, and consistent response times regardless of the passwords complexity.

This sounds like it could be a good idea.

What do you think @kspearrin ?

Argon2 is the winner of the Password Hashing Competition. The main advantage of Argon2 over AES-KDF is that it provides a better resistance against GPU/ASIC attacks (due to being a memory-hard function).

The number of iterations scales linearly with the required time. By increasing the memory parameter, GPU/ASIC attacks become harder (and the required time increases). The parallelism parameter can be used to specify how many threads should be used.

This has been requested serveral times and has been ignored by dev

IMHO it should be TOP 1 priority in terms of security

1 Like