User configurable key derivation iterations (key stretching)

Add the ability to make the number of iterations in the key derivation algorithm (PBKDF2) user configurable.

GitHub issue ref: Requests: key stretching: document PBKDF2 rounds + ability to control rounds by user-setting · Issue #31 · bitwarden/clients · GitHub

I’m a bit unsure if letting users vote on such important security features is a good idea. Those should always be higher up on the todo list than the “normal” feature requests.

And IF you want users to vote on these things, the feature should at least be explained in a way, that normal users (=non-developers) understand the added security provided by this feature and thus the importance.

1 Like

well it seems from the votes that lots of users understand the importance of this feature, but i agree this is vitally important, especially since the default amount used today is pretty low for modern standards

Besides the increased security of having more iterations, Is there added security to users having different numbers of iterations?

IOW, if an attacker knows everyone is using 5000 iterations, is it easier to coordinate an attack versus attacking a system in which users are using different numbers of iterations (with a minimum of 5000)?

1 Like

Agree here, there should be a minimum number of iterations set. Sky being the limit :wink:

This feature request “mirrors” the PIM feature on VeraCrypt’s encrypted vaults. The personal iteration manager (PIM) lets users specify the exact needed iteration count and an adversary would not know the count needed. It greatly increases/fortifies the strength of the vault firewall.

Preliminary support for this feature will be available in the next app releases. Once the updates have propagated throughout we will enable the ability to alter a setting from the web vault for 5,000 - 1,000,000 iterations.

1 Like

Thanks, this should be a priority considering the purpose of bitwarden

When this feature will be deployed? any estimation?
I am waiting for this to migrate from lastpass paid.

This feature is complete for next web vault release, 2.3