Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
General Apps
Passwords and passkeys
Bitwarden Design Flaw : Server side iterations
Message
<blockquote data-quote="Wladimir Palant" data-source="post: 1021457" data-attributes="member: 89522"><p>This comment is somewhat ridiculous. Here is what I replied on Reddit:</p><p>Why would they have this mechanism if they never used it? It’s a fairly complicated flow which needs to be thoroughly tested, not something you implement just to keep it around.</p><ol> <li data-xf-list-type="ol">Underpowered devices that justify using 5,000 iterations do not exist, not in year 2023. I even doubt that they existed a decade ago when Bitwarden was created. There is zero reason to have accounts with less than 100,000 iterations today. And it is questionable whether there is a reason not to migrate everyone to the new default of 350,000 iterations.</li> <li data-xf-list-type="ol">The UX issues here are solvable. For one, this upgrade should usually happen only after the user logged in with their master password. If they never do because they forgot it, they can be forced to set a new master password. And initially it doesn’t have to be an unconditional change that will log them out at an inconvenient time – they can be offered a one-click upgrade that is strongly recommended.</li> </ol><p><em>Informing</em> users is not good enough for security-relevant decisions. Bitwarden has been keeping users on known insecure settings for five years.</p><p></p><p>Mind you, increasing PBKDF2 iterations forever is certainly not the solution. PBKDF2 is a known bad algorithm, it’s way easier to attack than to defend. That’s why Bitwarden needs to implement something better. And their own 2018 Security Assessment already said that, an advice they chose to ignore. Let’s hope Argon2 support lands soon and existing accounts get upgraded to use it.</p></blockquote><p></p>
[QUOTE="Wladimir Palant, post: 1021457, member: 89522"] This comment is somewhat ridiculous. Here is what I replied on Reddit: Why would they have this mechanism if they never used it? It’s a fairly complicated flow which needs to be thoroughly tested, not something you implement just to keep it around. [LIST=1] [*]Underpowered devices that justify using 5,000 iterations do not exist, not in year 2023. I even doubt that they existed a decade ago when Bitwarden was created. There is zero reason to have accounts with less than 100,000 iterations today. And it is questionable whether there is a reason not to migrate everyone to the new default of 350,000 iterations. [*]The UX issues here are solvable. For one, this upgrade should usually happen only after the user logged in with their master password. If they never do because they forgot it, they can be forced to set a new master password. And initially it doesn’t have to be an unconditional change that will log them out at an inconvenient time – they can be offered a one-click upgrade that is strongly recommended. [/LIST] [I]Informing[/I] users is not good enough for security-relevant decisions. Bitwarden has been keeping users on known insecure settings for five years. Mind you, increasing PBKDF2 iterations forever is certainly not the solution. PBKDF2 is a known bad algorithm, it’s way easier to attack than to defend. That’s why Bitwarden needs to implement something better. And their own 2018 Security Assessment already said that, an advice they chose to ignore. Let’s hope Argon2 support lands soon and existing accounts get upgraded to use it. [/QUOTE]
Insert quotes…
Verification
Post reply
Top