Currently, new Bitwarden accounts default to PBKDF2_SHA256 with 600,000 iterations. Argon2id has been implemented for almost three years now, so it is stable enough to be set as the default and can significantly increasing the level of security of users.
I see 3 ways :
Change all hard‑coded PBKDF2 defaults to always use Argon2id
Use existing argon2‑default feature flag to toggle between PBKDF2 (default) and Argon2id (and use something like globalSettings__launchDarkly__flagValues__argon2‑default: “true”)
Add new globalSettings__defaultKdfType setting (Argon2id/PBKDF2_SHA256)
argon2‑default flag exists (src/Core/Constants.cs:192) but is not used anywhere in the server code. Two last options will need an additionnal variable in the helm chart (maybe pre‑install‑hook‑configmap.yaml).
I see that the linked server PR has already been merged with the argon2-default flag, but as I mentioned, this flag isn’t being used anywhere in the server source code.
Given the many hardcoded PBKDF2 values in the server source, updating the server code would be great.
This is very much on the team’s radar as something we’d like to do in the future. At present, we do have some concern about the memory limits that iOS imposes on app extensions, which could cause users of the iOS mobile app trouble when trying to autofill if using sensible defaults for Argon2.
I think I once read something about 48 MiB memory as the critical limit for iOS… I think it was in the BW Help Sites… now, I’m a bit confused, because Encryption Key Deriviation | Bitwarden states, everything above 64 MiB would be critical – but then, where would be the problem, since the current default for Argon2 is 64 MiB?!
And if the memory should rather be 48 MiB in regards to iOS, could it be an alternative to lower default memory to 48 MiB, but then increase the default iterations from 3 to 4 (or 5 or 6…)? (of course, I don’t really know if that increase in iterations woul sufficiently compensate for the lower memory…)
EDIT: Ah, I think you wouldn’t want to use a configuration, that is not officially recommended (OWASP…), right?
I’m not sure when you might have seen 48Mb referenced as a limit for iOS. As far as I know, the current default of 64Mb is okay on iOS, with the app warning users that unlock might fail if their settings are higher than that.
It was a while ago… And I think I’m not hallucinating that (one) – I just did a quick search, and @Quexten also mentioned this (older) limit e.g. in this post here from 2023:
The resources should not be a problem - even on an iPhone or Android phone. The only edge case is iOS autofill, due to a software restriction that is part of iOS. Hence the recommendation to lower the memory to 48 MiB.
(emphasis my edit)
Well, not important anymore then, when the current default of 64 MiB is not problematic for iOS…
I just checked and it looks like we are actually going with 32Mb and 6 iterations for users when we default them to argon2id - probably to be safe with memory limits on iOS.
I’m an iOS user (not the latest iOS because I’m still using an older iPhone) and I’ve fairly recently switched over to using the default Argon2id settings and it seems to be working fine for me. I can’t remember if the default is 32 or 64 MB but yeah it’s working exactly the same as it was before on the other one (PBKDF2 or whatever it’s called). My Argon2id settings won’t change on their own when the defaults inevitably increase over time will they? I’m guessing no because with the other one they didn’t increase on their own, they had to be manually adjusted.
I would also think, a change of the defaults alone over time doesn’t force a change of current accounts. But it may be forced at some point in the future, if it is deemed necessary eventually. (just like the current Release Notes state it for PBKDF2: accounts with iterations below 600,000 will be updated automatically to 600,000 iterations now)
My Argon2id settings won’t change on their own when the defaults inevitably increase over time will they? I’m guessing no because with the other one they didn’t increase on their own, they had to be manually adjusted.
We are currently upgrading all users with less than 600.000 rounds of PBKDF2 to have a minimum of 600.000 rounds automatically (without user-interaction in many cases, with a prompt in some). In the future, the same may be done for argon2id, or for migrating PBKDF2 users to argon2id, but please consider that the above defaults for argon2id are over an order of magnitude (10x) stronger against brute-force attacks on consumer GPUs (running hashcat).
In general, nearly no users manually upgrade KDF settings, even if prompted via in-app guidance to do so, so automatic upgrades have become necessary.
I’ll note that it is unlikely we will bump the minimum amount of memory automatically. Instead, the iteration count would be tuned. Argon2 is meant to have the memory adjusted first and foremost, however given the variety of devices users run Bitwarden on, even 64MiB has proven difficult in some contexts such as iOS autofill.
Thanks @Nail1684, The current iOS limit of 48MiB was for the old mobile apps. The new apps have a limit of 64MiB after which they show the limit. I’ll get this updated with the docs team.
I’ve forgotten, what’s the current default for the Argon2 memory? Is it 64 MB/MiB? I could log into the web vault and check myself but I’m feeling lazy.
– I just did a quick search, and 
