Vaultwarden - Security Enhancement Tip
-
I wanted to share some information acquired from the school of hard knocks...
Background: I found that VaultWarden uses PBKDF2-SHA-256 as its default encryption with 600,000 iterations. One thing I discovered from security experts after being one of the many unlucky LastPass customers (victims of a hacking incident) was an added vulnerability in that everyone had the same number of KDF iterations based on default installation values. While VW's 600,000 is far greater (and better because it requires more calculation resources) than my LastPass default setting, it is unfortunately the same for everyone - unless you change that:)
Suggestions:
-
Set a random value > 600,000 for the # of KDF iterations - Account Settings | Security | Keys. Setting a value too high can make VW a bit unresponsive, so increase sensibly based on VW's suggested increments.
-
OWASP publishes a recommendation on the # iterations for PBKDF2 encryption . Check periodically to make sure your value is equal to or greater than their recommendation.
-
Note: Each user will need to change this setting for their account.
Benefits: A random KDF means a hacker has many more possible combinations to try. With any luck they will move on to an easier target. Staying at or above OWASP recommended iterations makes sense as well.
Hope this helps.
-
-
@crazybrad said in Vaultwarden - Security Enhancement Tip:
Setting a value too high can make VW a bit unresponsive, so increase sensibly based on VW's suggested increments
Is there an upper limit (that one should not try to set)?
-
@girish Great question. I'm not sure I have an answer. I think it depends on the devices you are using Bitwarden/VaultWarden on. The more CPU/RAM available, the less sensitive you will be to a higher KDF. I did use 900K+ after the LastPass compromise and I did notice at times LastPass was slow. I think the recommendation of increasing in ~100K increments is wise so if VW becomes slow, you can back off the last increment.
-
@crazybrad said in Vaultwarden - Security Enhancement Tip:
OWASP publishes a recommendation on the # iterations for PBKDF2 encryption . Check periodically to make sure your value is equal to or greater than their recommendation.
could you link to where that info is published?
-
@jdaviescoates No problem. Here is the reference to PBKDF2, but the rest of the "cheat sheet" is worth reading as well: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
-
This doesn't sound right. The number of iterations has to be stored in the database, and it is very often stored with the password hash. Changing to a "unique" number doesn't have any meaningful impact on security, aside from being big enough..
The iteration count is designed to be a flexible way to increase the computational effort required for each cracking attempt. This is helpful because Moore's Law is quite real and instead of inventing a new hash every 2 years, users and operators can just bump the iteration count to maintain the same expected level of effort an attacker would have to expend with new hardware.
-
@infogulch Looks like you are right. I checked one of my VW backups and searching for the unique KDF iterations revealed that it is in fact stored in the database. So the information I read after the LastPass breach was incorrect suggesting that a random value of similar size provided more protection that just using the default value.
As I recall the default value at that time was 100,000 and OWASP was suggesting a much larger number. In fact some long time users had much smaller KDF iterations, making the hacking effort minimal.
So it looks like OWASP recommendation should be the minimum KDF iterations and to @girish question earlier, perhaps increasing the value based on your own hardware devices in sensible increments.
Thank you @infogulch for correcting my misinformation. But since my random # was higher than 600,000, I'm keeping it:)
-
Official help doc: https://bitwarden.com/help/kdf-algorithms/
-
@necrevistonnezr said in Vaultwarden - Security Enhancement Tip:
Official help doc: https://bitwarden.com/help/kdf-algorithms/
Thanks but having read that I'm still pretty much at a loss as to whether or not I should change from PBKDF2 SHA256 to Argon2id or not.
For now I've just increased my KDF iterations up to the recommended minimum of 600000 (it was previously just 100000).
Edit: but after reading through this as well, I think I will switch to Argon2id:
https://community.bitwarden.com/t/pbkdf2-vs-argon2-which-is-better/59187
Update: I switched to Argon2id and just opted the default settings (64 MiB of memory, iterate over it 3 times, and do so across 4 threads), which are significantly higher than the [current OWASP recommendations](current OWASP recommendations). I guess if I think it's too slow I could crank it down bit by bit toward (but no lower than) those recommendations.
-
If you have a VaultWarden running, with passphrases already, would you need to create new passphrarses after changing the algorithm or the number of KDF iteration? Would it effect the OTP too? Also, if you have a browser extension for VW as well as a desktop VW, would it make a difference if you changed one whilst the other was online?
Oh yeah, one more thing: How do we change the settings?
Account Settings → Security → KeysThanks for raising this topic.
-
@LoudLemur I can answer some of your questions. Yes, Account Settings → Security → Keys will allow you to change either the KDF value or change the algorithm to Argon2id. These changes are for your entire account - so browser, desktop, smartphone app would all use the new algorithm/KDF value. I believe you need to log in again if you have an active login whilst changing the algo/KDF. OTP and passphrase I am not using just yet so I can't answer your question from experience. But since these settings are per user, I am tempted to create a test user where I can try out Argon2id settings, and to your point, play with 1 or 2 OTP and passphrases and see the consequences. If they are fatal, then simply delete the user, rinse and repeat until I get it right.
-
I had changed to Argon2id a while ago. Since I was not sure about this needs to be done, but it was offered to me, I also rotated my encryption key as explained here: https://bitwarden.com/help/account-encryption-key/
No matter if you just change the algorithm or rotate the key, you will need to log out on all your devices (desktop client, mobile client, browser extension) and login in again afterward.
What I did had no impact on OTP. -
@crazybrad said in Vaultwarden - Security Enhancement Tip:
Note: Each user will need to change this setting for their account.
Isn't it enforced by the
PASSWORD_ITERATIONSENV which updates it for all users on login? -
@andreasdueren Good question. I don't know the answer. Is there something similar for Argon2id parameters?
