Continuing discussion from this GitHub ticket.
I am aware of Argon2 and it’s benefits over PBKDF2, however, since bitwarden is a cross-platform application that is written on many different languages/frameworks we must use an algorithm that is a standard. PBKDF2 has native implementations on all platforms that we deal with. Argon2 is relatively young and is not yet widely implemented. If we were to use Argon2 we would have to rely on unproven third-party libraries.
Libsodium supports Argon2 and there are bindings for .NET, Java, and Swift. There are also transpilers for JS and WebAssembly.
Users are terrible at choosing passwords and your servers will inevitably get breached.
Between repurposed cryptocurrency mining clusters, probabilistic word lists, and three-letter-agencies plowing hundreds of millions into custom ASICs … your key derivation function is the single most important aspect of your security model. Switching to Argon2 would yield an immediate 3x improvement against brute force attacks on generic GPUs and 10x or more against ASICs.