Request For Progress on "Switching To Argon2" Post

Dear Bitwarden Employees,

So I have seen the post for “Switch to Argon2” post:

Chad Sharf did leave the following important remark:

As several of you have indicated the strong desire for Argon2 as an option in Bitwarden clients, we have accepted this as requested enhancement. There has also been an update to the related GitHub issue here: https://github.com/bitwarden/jslib/issues/52 .

I believe @michaelsmoody has created a fork for this process to get started already and any other collaborators I would encourage to group together on the effort, etc. Please provide any design discussions, decisions and roadblocks so the community and Bitwarden engineering team may assist as necessary. The framework that Kyle has created for KDF was intended to be able to be expanded to support more than a single algorithm.

We will absolutely accept a solid implementation of this feature if all PRs are presented together that meets quality standards and encompasses for each of the Bitwarden clients: Web, Browser, Desktop, CLI, and Mobile. Argon2 may not replace SHA256 as the default but should be an option to be configured by the user. Also, the license for any libraries used may not be GPL based.

Please feel free to post/ask any questions or concerns and thank you again for your support!

I wish to ask here if there has been any progress on the switch since March 21, 2020.

Based on Micheal S Moody’s last commit, he last committed to the project on March 21, 2020:

Are the Bitwarden employees still interested in completing this feature?

If so, I am happy to contribute. I already messaged Micheal S Moody about this, but I also wanted to ask the other Bitwarden Employees about this to see if they are still interested in this feature.

If so, my GPG public key can be found at: https://raiderhacks.com/gpg

I will take a look at Micheal S Moody’s work and give updates as to what I come up with as time goes on.

I thank the Bitwarden employees for any responses they send back to me.

Thank you @fosres, as of right now our team is focused on other priorities and I don’t foresee us tackling this internally at the moment. I know this is an important topic for many, however, and I am willing to extend some time and resources to helping those in the community who want to take a crack at it (answering questions, reviewing design considerations/approach, PR review, etc.); however that’s the most we can commit to at this point.

What other issues is Bitwarden focusing on? I am curious to know.

This is the roadmap for Q1 or so:

1 Like

It’s not a priority until sundently sooner than later will be a security issue and it will become a priority.
Better safe than sorry, particulary in this product, and this feature should be in the roadmap for this year.

1 Like

Hi @tgreer any chance to get this for Q2?
I think people selfhosting and enterprise and normal customers will feel safer using argon2 knowing that in case of a compromise their data will be encrypted in the best way possible, and “future proof”.