Vaultwarden - Security Enhancement Tip

Reply to Vaultwarden - Security Enhancement Tip on Mon, 04 Mar 2024 17:34:56 GMT

crazybrad — Mon, 04 Mar 2024 17:34:56 GMT

@andreasdueren Good question. I don't know the answer. Is there something similar for Argon2id parameters?

Reply to Vaultwarden - Security Enhancement Tip on Mon, 04 Mar 2024 08:25:14 GMT

andreasdueren — Mon, 04 Mar 2024 08:25:14 GMT

@crazybrad said in Vaultwarden - Security Enhancement Tip:

Note: Each user will need to change this setting for their account.

Isn't it enforced by the PASSWORD_ITERATIONS ENV which updates it for all users on login?

Reply to Vaultwarden - Security Enhancement Tip on Sun, 03 Mar 2024 13:15:03 GMT

nichu42 — Sun, 03 Mar 2024 13:15:03 GMT

I had changed to Argon2id a while ago. Since I was not sure about this needs to be done, but it was offered to me, I also rotated my encryption key as explained here: https://bitwarden.com/help/account-encryption-key/
No matter if you just change the algorithm or rotate the key, you will need to log out on all your devices (desktop client, mobile client, browser extension) and login in again afterward.
What I did had no impact on OTP.

Reply to Vaultwarden - Security Enhancement Tip on Sun, 03 Mar 2024 02:41:14 GMT

crazybrad — Sun, 03 Mar 2024 02:41:14 GMT

@LoudLemur I can answer some of your questions. Yes, Account Settings → Security → Keys will allow you to change either the KDF value or change the algorithm to Argon2id. These changes are for your entire account - so browser, desktop, smartphone app would all use the new algorithm/KDF value. I believe you need to log in again if you have an active login whilst changing the algo/KDF. OTP and passphrase I am not using just yet so I can't answer your question from experience. But since these settings are per user, I am tempted to create a test user where I can try out Argon2id settings, and to your point, play with 1 or 2 OTP and passphrases and see the consequences. If they are fatal, then simply delete the user, rinse and repeat until I get it right.

Reply to Vaultwarden - Security Enhancement Tip on Sat, 02 Mar 2024 23:33:27 GMT

LoudLemur — Sat, 02 Mar 2024 23:33:27 GMT

If you have a VaultWarden running, with passphrases already, would you need to create new passphrarses after changing the algorithm or the number of KDF iteration? Would it effect the OTP too? Also, if you have a browser extension for VW as well as a desktop VW, would it make a difference if you changed one whilst the other was online?

Oh yeah, one more thing: How do we change the settings?
Account Settings → Security → Keys

Thanks for raising this topic.

Reply to Vaultwarden - Security Enhancement Tip on Sat, 02 Mar 2024 13:18:18 GMT

jdaviescoates — Sat, 02 Mar 2024 13:18:18 GMT

@necrevistonnezr said in Vaultwarden - Security Enhancement Tip:

Official help doc: https://bitwarden.com/help/kdf-algorithms/

Thanks but having read that I'm still pretty much at a loss as to whether or not I should change from PBKDF2 SHA256 to Argon2id or not.

For now I've just increased my KDF iterations up to the recommended minimum of 600000 (it was previously just 100000).

Edit: but after reading through this as well, I think I will switch to Argon2id:

https://community.bitwarden.com/t/pbkdf2-vs-argon2-which-is-better/59187

Update: I switched to Argon2id and just opted the default settings (64 MiB of memory, iterate over it 3 times, and do so across 4 threads), which are significantly higher than the [current OWASP recommendations](current OWASP recommendations). I guess if I think it's too slow I could crank it down bit by bit toward (but no lower than) those recommendations.

Reply to Vaultwarden - Security Enhancement Tip on Thu, 29 Feb 2024 12:52:56 GMT

necrevistonnezr — Thu, 29 Feb 2024 12:52:56 GMT

Official help doc: https://bitwarden.com/help/kdf-algorithms/

Reply to Vaultwarden - Security Enhancement Tip on Thu, 29 Feb 2024 12:11:17 GMT

crazybrad — Thu, 29 Feb 2024 12:11:17 GMT

@nichu42 I was going to ask the same. I don't have any insights but would be interested in this as well. In the interim I am going to ask some colleagues who are more involved in network security.

Reply to Vaultwarden - Security Enhancement Tip on Thu, 29 Feb 2024 10:10:20 GMT

nichu42 — Thu, 29 Feb 2024 10:10:20 GMT

I was under the impression that the general recommendation is to move over to Argon2. Any insights on that?

Reply to Vaultwarden - Security Enhancement Tip on Thu, 29 Feb 2024 04:58:17 GMT

crazybrad — Thu, 29 Feb 2024 04:58:17 GMT

@infogulch Looks like you are right. I checked one of my VW backups and searching for the unique KDF iterations revealed that it is in fact stored in the database. So the information I read after the LastPass breach was incorrect suggesting that a random value of similar size provided more protection that just using the default value.

As I recall the default value at that time was 100,000 and OWASP was suggesting a much larger number. In fact some long time users had much smaller KDF iterations, making the hacking effort minimal.

So it looks like OWASP recommendation should be the minimum KDF iterations and to @girish question earlier, perhaps increasing the value based on your own hardware devices in sensible increments.

Thank you @infogulch for correcting my misinformation. But since my random # was higher than 600,000, I'm keeping it:)

Reply to Vaultwarden - Security Enhancement Tip on Thu, 29 Feb 2024 03:06:04 GMT

infogulch — Thu, 29 Feb 2024 03:06:04 GMT

This doesn't sound right. The number of iterations has to be stored in the database, and it is very often stored with the password hash. Changing to a "unique" number doesn't have any meaningful impact on security, aside from being big enough..

The iteration count is designed to be a flexible way to increase the computational effort required for each cracking attempt. This is helpful because Moore's Law is quite real and instead of inventing a new hash every 2 years, users and operators can just bump the iteration count to maintain the same expected level of effort an attacker would have to expend with new hardware.

Reply to Vaultwarden - Security Enhancement Tip on Thu, 29 Feb 2024 01:59:52 GMT

crazybrad — Thu, 29 Feb 2024 01:59:52 GMT

@jdaviescoates No problem. Here is the reference to PBKDF2, but the rest of the "cheat sheet" is worth reading as well: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2

Reply to Vaultwarden - Security Enhancement Tip on Wed, 28 Feb 2024 16:01:26 GMT

jdaviescoates — Wed, 28 Feb 2024 16:01:26 GMT

@crazybrad said in Vaultwarden - Security Enhancement Tip:

OWASP publishes a recommendation on the # iterations for PBKDF2 encryption . Check periodically to make sure your value is equal to or greater than their recommendation.

could you link to where that info is published?

Reply to Vaultwarden - Security Enhancement Tip on Wed, 28 Feb 2024 13:08:42 GMT

crazybrad — Wed, 28 Feb 2024 13:08:42 GMT

@girish Great question. I'm not sure I have an answer. I think it depends on the devices you are using Bitwarden/VaultWarden on. The more CPU/RAM available, the less sensitive you will be to a higher KDF. I did use 900K+ after the LastPass compromise and I did notice at times LastPass was slow. I think the recommendation of increasing in ~100K increments is wise so if VW becomes slow, you can back off the last increment.

Reply to Vaultwarden - Security Enhancement Tip on Wed, 28 Feb 2024 10:07:34 GMT

girish — Wed, 28 Feb 2024 10:07:34 GMT

@crazybrad said in Vaultwarden - Security Enhancement Tip:

Setting a value too high can make VW a bit unresponsive, so increase sensibly based on VW's suggested increments

Is there an upper limit (that one should not try to set)?