Set Argon2id as default KDF

r3m8 · January 18, 2026, 8:28am

Currently, new Bitwarden accounts default to PBKDF2_SHA256 with 600,000 iterations. Argon2id has been implemented for almost three years now, so it is stable enough to be set as the default and can significantly increasing the level of security of users.

I see 3 ways :

Change all hard‑coded PBKDF2 defaults to always use Argon2id
Use existing argon2‑default feature flag to toggle between PBKDF2 (default) and Argon2id (and use something like globalSettings__launchDarkly__flagValues__argon2‑default: “true”)
Add new globalSettings__defaultKdfType setting (Argon2id/PBKDF2_SHA256)

argon2‑default flag exists (src/Core/Constants.cs:192) but is not used anywhere in the server code. Two last options will need an additionnal variable in the helm chart (maybe pre‑install‑hook‑configmap.yaml).

I’m ok to create an Issue and PR on Github.

Nail1684 · January 18, 2026, 10:45am

@r3m8 Welcome to the forum!

Just FYI, there already were some efforts to do that, but for whatever reason the PR is still closed:

github.com/bitwarden/clients

[BEEEP/PM-16982] Make argon2 the default kdf for new accounts

main ← km/default-argon2

opened 01:43AM - 29 Dec 24 UTC

quexten

+49 -13

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-16982 Server PR: ht…tps://github.com/bitwarden/server/pull/5253/ ## 📔 Objective Makes argon2, with the default settings, the default KDF for new accounts. This is behind a feature-flag. ## 📸 Screenshots https://github.com/user-attachments/assets/05ea35d3-8cfc-46a8-a034-0ada876edf0b ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

r3m8 · January 18, 2026, 11:17am

Thanks, I didn’t check the clients repo.

I see that the linked server PR has already been merged with the argon2-default flag, but as I mentioned, this flag isn’t being used anywhere in the server source code.

Given the many hardcoded PBKDF2 values in the server source, updating the server code would be great.

grb · January 18, 2026, 1:50pm

If you’re not already familiar with the following notice, this would be your starting point for code contributions:

Micah_Edelblut · January 19, 2026, 9:50am

This is very much on the team’s radar as something we’d like to do in the future. At present, we do have some concern about the memory limits that iOS imposes on app extensions, which could cause users of the iOS mobile app trouble when trying to autofill if using sensible defaults for Argon2.

r3m8 · January 19, 2026, 10:29am

Thanks for your feedback !

indolering · January 23, 2026, 4:17am

So setting it for the memory limits that iOS would be less secure than the current default?