Take control of your online security: Bitwarden introduces Argon2 KDF support
Bitwarden password manager has added support for Argon2 KDF iterations. The feature was in development, we reported about it a few weeks ago.
To be more specific, Bitwarden uses Argon2id which is a hybrid between Argon2d and Argon2i, so it is not only strong against side-channel attacks, but is resistant to GPU attacks.
My previous article highlights the advantages of Argon2 over PBKDF2, please refer to it for more details. In a nutshell Argon2 offers enhanced security compared to PBKDF2, as the encrypted contents will not only take longer for hackers to crack your password, but also require significant computational power.
Warning: We advise you not to enable Argon2 for your account right away, because older versions of the app do not support the encryption method. Wait until you have received the 2023.2 update on all your Bitwarden apps, i.e. the desktop program, the mobile app on your Android or iPhone, and the browser extensions for Firefox, Chrome, etc. Once you have verified that you have the new version on all your devices, you can switch to Argon2. If you have an old version of the app on one device, you won't be able to access your Bitwarden vault on that machine, until you revert the change via the web vault.
You should backup your vault before changing the KDF key, so please export your database before proceeding. Changing the key will log you out of your account on all of your devices, so you'll need to enter your master password again to access the vault/allow biometric authentication.
How to enable Argon2 KDF in Bitwarden
1. Go to Bitwarden's web vault in your browser.
2. Sign in to your account.
3. Go to the Security section, and switch to the Keys tab.
4. Click on the drop-down menu below the KDF algorithm.
5. By default, it's set to use PBKDF2 SHA-256. Select Argon2id.
6. The page will display some additional options. The default values should be fine. Here they are for your reference: KDF Iterations 3, KDF Memory 64MB, and KDF Parallelism 4.
7. Click on the Change KDF button. You will be asked to enter your master password to save your changes.
That's it, you have enabled Argon2 KDF encryption for your passwords.
Note: Users who wish to change the parameters of the encryption can experiment with the Argon2 online tool to see how your browser performs with higher values. Keep in mind that mobile apps may have limited memory, so don't set it to a very high value. (h/t: reddit)
On a sidenote, the Bitwarden 2023.2.0 update changes the number of default KDF iterations to 600,000, you can change it manually too. It has also changed the minimum count to 100,000, which is actually low considering the recommendation from OWASP. It's not clear whether this change only applies to new users, or existing accounts as well. The release notes for the update are available on the project's GitHub page.
Bitwarden's users had been requesting the company to add support for Argon2 for over 6 years, it's good to see that the developers have finally added it. Password managers are starting to take their security more seriously, in the wake of the LastPass data breach that happened a few months ago.
Default values fail in Waterfox and Librewolf. OK in Brave but I reset to previous values.
I had not tested it in my phone. After the reset, an app in which I do use Google sign in failed logon. Google itself was OK. Some may see irony in that sentence.
Some may see irony in preference of browsers and use of Google on phone but phone screens are too small for me. I never browse using the phone and think its a good thing if Google realises some people still genuinely care for nature.
Thank you for heads up. Changed to Argon2 in latest ver of Chrome after checking version of Android
Your articles make it worth to still stick with ghacks, Ashwin. Thank you! But man those articles from the new authors are … something else.
Thanks @Ashwin for this very interesting article! :]
The browser extension in Firefox quit working after I changed to Argon2id. It was a bit of a hassle to change back to PBKDF2 SHA-256 while using 2FA to log in. I’d wait until the extensions all get an update to support Argon2id.