- Currently bitwarden uses PBKDF2, but this has it’s flaws nowadays and isn’t that secure anymore
- I propose to rather use bcrypt2, which is more secure
- What will this feature do differently?
- Ideally: nothing visible other than another option in the settings (for which the menu already exists)
- What benefits will this feature bring?
- Stronger security, because it more resistant against brute-force
- It’s recommended by OWASP for password storage and should be quite widely adopted (e.g. in most spring security samples I’ve seen it’s being used)
- According to OWASP a work factor of minimum 10 and default 12 seems good
Related topics + references
- If this where to be combined with being able to dictate some defaults/restrictions on this topic via organizations and/or self-hosted server settings this would be great
- A pepper could be additionally used to increase security (but it might get hard to switch it on compromise?)
- A possible alternative would be Argon2id, for which there already is a feature request or scrypt, which would allow to increase memory usage for countering GPU based hashing (used in some cryptocurrencies I think)