Switch to Argon2

All webapps have that issue. Why I almost exclusively use FF/Chrome addon and android app.

The KDF Bitwarden uses is THE industry standard. It is not the best, but it is by no means “insecure”.

I’m not sure how backwards compatible BW is that you could actually use BW without auto-update. All updates are signed and should refuse to install by the OS/browser if not signed. The real question is how robust is the security around their signing system.

1 Like

Feature name

AES-256-GCM and Argon2d

Feature function

This feature increases Bitwarden’s overall security.

Related topics + references

1 Like

@michaelsmoody any news or any place to see the progress? GitHub?

2 Likes

I hope this feature will have a place in the new 2021 Roadmap!

I read that a potential reason why Argon2 might not be used is because it’s not “hardware accelerated”. I decided to play around with several different implementations of Argon2, like Keepass, npm node package, and some arbitrary javascript implementation to run in a web browser. They were all within a factor of each other. Some a security standpoint, that’s a “1 bit” difference.

Also less than a factor difference between Samsung S7, Intel i5, Samsung S20.

Other than development time, I see no reason to not do this. May want to warn the user about setting memory too high. May also want to have some way to test how long it will take for a calculation. A simple page with the config options and a timer would suffice.

1 Like

It may not be the case it’s entirely about hardware acceleration per se, but hardware in general.

Argon2 looks to be optimized primarily for x86 multi-core and appears to derive its security from memory-hard functions.

Bitwarden must run on a range of architectures, all of which may not have the available RAM to perform large memory-hard processes.

Argon2 is completely configurable. You can do MiB to GiB and beyond. The end user just needs to be aware what platforms they plan on using it. For me it’s desktops with 32-64GiB of memory and cellphones with 6-12GiB.

It effectively comes down to this. pbkdf2 uses almost no memory at all, allowing a GPU to scale nearly perfectly with all of its thousands of cores. Setting Argon2 to even 8MiB would render most GPUs ineffective. It’s not just a total memory issue, but random memory access. Even if a GPU could handle the memory cost, they’re highly optimized for sequential access and limited shared cache.

The main thing is to make it optional, configurable, and maybe come with a decent warning when beyond certain memory parameters.

2 Likes

That’s true about pbkdf2, but 6-12GB for phones seems high (not everyone has a flagship).

Those GPU-accelerated attacks have to run through something like 100,000 iterations of pbkdf2 (customizable per account) per test, and they’re salted so any given attack would be specific to an individual user account.

Is anyone else using Argon2 yet? I think LastPass is still pbkdf2.

You’re probably right, though, going forward. PBKDF2 won’t last forever.

You don’t need a “flagship” phone to benefit. Even a few MiB would make all of the difference. And 6GiB is for a 4 year old flagship that I can get for free with a $40/m cellphone plan on a 2 year contract.

100,000 iterations isn’t a whole lot. Modern GPUs can crank through about 50mil hashes per second, which is about 500 passwords a second. Not much, but enough for a dedicated attack. Custom asic can do about 16 trillion hashes per second, which would be 160,000,000 passwords per second.

The bitcoin network is processing about 74 quintillion hashes per second, or at 100k hashes per attempt, about 74 trillion passwords per second.

Instead of GPUs being 1000x faster and asics being 1,000,000x faster than your CPU, they would be about the same speed at best. This is the main issue with pbkdf2. It’s only slow on your device, but fast for attackers. Argon2 levels the playing field.

2 Likes

@tgreer This feature request is pretty similar to Switch to Argon2

If there is funding available, I would love to work on this. I have experience with Haxe and could create a polyglot library for using an accelerated version of Argon2 on any platform.

2 Likes

Flagging this for @tgreer @cscharf

Thanks for keeping the discussion alive! Funding isn’t so much the issue as is engineering time to scope/plan/discuss the implementation plan, since it will touch so many parts of the platform.

Chad is working on prepping for a release this week, so we’ll see if he has any input once he comes up for air :sweat_smile:

@tgreer The main concern is getting Argon2 available for all platforms and benchmarking it/figuring out the right settings, correct? I’m overqualified for both of those tasks (I wanted to get a PhD on this topic at one point). If you put up some bounties, I would love to work on it!

1 Like

Is there any update around argon2?

Hope argon2id support.

Most users of Argon2 use as much memory as possible because memory is usually the bottleneck for attackers. But even using much smaller amounts of memory is helpful. Even using just 128MB would greatly limit an attacker. E.g. a typical top end consumer GPU such as a 3090 which many gamers already own has 10,496 cores to use in parallel but only 24GB RAM, limiting parallelism to 24GB / 128 MB = about 180 - a decline of two orders of magnitude - and that’s an absolute ceiling with the actual limit being probably much lower depending on architecture.

There’s some relevant speculation of the precise limit at hash - Since GPUs have gigabytes of memory, does Argon2id need to use gigabytes of memory as well in order to effectively thwart GPU cracking? - Information Security Stack Exchange

2 Likes

I found the comment on 1Password quite interesting and tried to gather the current state of options that other password managers offer:

1Password PBKDF2-HMAC-SHA256
Dashlane Argon2d , PBKDF2
GnomeKeyring PBKDF2 planned, but not implemented
LastPass PBKDF2 with SHA-256
Keepass AES-KDF, Argon2
KeePassXC AES-KDF, Argon2
Password Safe PBKDF2 with SHA-256

So, Bitwarden supporting “only” PBKDF2 SHA-256 appears to be quite reasonable by comparison.

6 Likes

Is this planned at all? or is a dead end?

1 Like

Bitwarden constantly looks at the landscape for the right combination of industry standard and emerging encryption technologies. This is an ongoing endeavor. Argon2 is on our radar screen but not slated for 2022.

7 Likes