When I log in into my web vault it says “Update your encryption settings to meet new security recommendations and improve account protection”. I then click on “Update KDF settings” and “Change KDF”. However, the prompt asking me to update my encryption settings remains. Currently, KDF iterations is set to 100,000.
I believe the recommended number of iterations is 600,000. Once you click on update and change, you’ll need to click IN the field box (that currently shows 100,000) and input the new number. They also recommend changing it in small increments in case there are issues with the higher iteration number, 100,000 at a time. I just input 600,000 and saved it. No issues (on the web app at least, my phone is another matter) Hope this helps 
1 Like
As @AbberantSalience mentioned, if you use a number less than 600,000 (as recommended), the prompt will remain.
It is recommended to backup your vault before changing your KDF configuration.
While you are at it, you may want to consider changing the KDF algorithm to Argon2id. The default parameters provide stronger protection than 600,000 PBKDF2 iterations, and you may get the additional protection without any performance loss.
3 Likes
Argon2id is very snappy on my devices. Much improved security against brute force type attacks.
2 Likes
I too need to do this. How was your experience with this so far? did you back up your passwords first?
@BitShrek Welcome to the forum!
Yes, you absolutely should backup your vault contents before making any changes to your account security settings, as there is a small (but real) risk that your Bitwarden vault can become corrupted or inaccessible if something goes wrong during the process.
To safeguard your backup, create a password-protected export, which is an option available when exporting from any non-mobile Bitwarden app (e.g., the Web Vault, Desktop app, or a browser extension). On the vault export screen, select “.json (Encrypted)” as the file format, and specify “Password-Protected” (not “Account-Restricted”) as the Export Type. For the file password, generate a random passphrase containing at least 5 words (use more words if you plan to keep the backup file after successfully completing the KDF update) and write down this file password on a piece of paper (record it on your Emergency Sheet if you plan to keep the backup file for use in the future); it would probably be best to generate and write down the file passphrase before initiating the vault export process.
Furthermore, if you have Premium, enter the search expression >attachments:* in the search bar of any non-mobile Bitwarden app, to find any vault items that have attached files. File attachments are not included in vault exports, and must be downloaded separately in order to have a full backup of your vault contents.
3 Likes
File attachments - I don’t see a way to save all attachments together in one step, so I assume you have to download each file individually to save - correct?
@fham Yes that’s correct. Please note that the downloaded files are unencrypted, so if they contain sensitive data, you may need to take special precautions when backing these up.
Stress again the importance of backing up vault, I tried to switch to Argon and it deleted all vault entries! Luckily, I had followed the advice with everything backed up; so… heed the warning, it’s critical!!
Glad you avoided a disaster. Nonetheless, data loss, while a very real risk, is usually a rare occurrence. If you log in and find that your vault appears to be empty, more likely is that you’ve encountered a momentary glitch in the vault download and/or decryption process. Before going through the trouble of starting over with a new vault using imported data, it is worth it to log out, clear browser data, and try logging back in (perhaps repeating this process a few times). Contacting Bitwarden’s Customer Support may also be worthwhile if you encounter an apparently empty vault on login. (And one thing that you should never do is to attempt to make any changes to the account settings while your vault login is in a corrupted state that causes the vault to appear empty — this can make your situation much worse!)
2 Likes
I didn’t know that now the extension supports password protected exports. Do you know since when ?? Finally !!!
As for the mobile devices, you can export a password protected .json via the web vault on a browser. I just realized that.
Password-protected export was released for the Desktop app and browser extensions in version 2024.6.0.