Insecure KDF iterations settings
-
Vaultwarden is installed by default with non-secure kdf iterations settings - would you please, set it up to 600.000 as a minimum please? Ideally - have it set up till 2.000.000
-
Vaultwarden is installed by default with non-secure kdf iterations settings - would you please, set it up to 600.000 as a minimum please? Ideally - have it set up till 2.000.000
@potemkin_ai said in Insecure KDF iterations settings:
600.000 as a minimum please?
Yeah, is the default on Bitwarden according to https://bitwarden.com/help/kdf-algorithms/
-
@potemkin_ai said in Insecure KDF iterations settings:
600.000 as a minimum please?
Yeah, is the default on Bitwarden according to https://bitwarden.com/help/kdf-algorithms/
@jdaviescoates it was not in case of my server setup, and I didn't touch a thing since it was installed!
-
One more thing:
You are using a plain text
ADMIN_TOKENwhich is insecure.
Please generate a secure Argon2 PHC string by usingvaultwarden hashorargon2.Admin token - which enables full access - is indeed stored plain text and accessible for cloudron admin.
-
here is an official doc, just in case: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
-
In my server atleast, config.json has
"password_iterations": 600000,I don't remember changing this
-
-
One more thing:
You are using a plain text
ADMIN_TOKENwhich is insecure.
Please generate a secure Argon2 PHC string by usingvaultwarden hashorargon2.Admin token - which enables full access - is indeed stored plain text and accessible for cloudron admin.
@potemkin_ai said in Insecure KDF iterations settings:
Admin token - which enables full access - is indeed stored plain text and accessible for cloudron admin.
I think you have to regenerate it like https://docs.cloudron.io/apps/vaultwarden/#admin which already uses argon
-
@girish said in Insecure KDF iterations settings:
The default install has 60k, so maybe I am missing something with this report.
The default Cloudron install (now) has even 600k, not only 60k.
But I think it wasn't always like this (see https://forum.cloudron.io/topic/11194/vaultwarden-security-enhancement-tip/) and @potemkin_ai has an old install? -
@girish said in Insecure KDF iterations settings:
The default install has 60k, so maybe I am missing something with this report.
The default Cloudron install (now) has even 600k, not only 60k.
But I think it wasn't always like this (see https://forum.cloudron.io/topic/11194/vaultwarden-security-enhancement-tip/) and @potemkin_ai has an old install?@necrevistonnezr said in Insecure KDF iterations settings:
The default Cloudron install (now) has even 600k, not only 60k.
ah, even in my screenshot it is 600k. I misread it!
-
@girish said in Insecure KDF iterations settings:
The default install has 60k, so maybe I am missing something with this report.
The default Cloudron install (now) has even 600k, not only 60k.
But I think it wasn't always like this (see https://forum.cloudron.io/topic/11194/vaultwarden-security-enhancement-tip/) and @potemkin_ai has an old install?@necrevistonnezr my installation is quite old - that's correct. Thanks for checking in!
@girish , thank you for the doc's reference! Guess it might make sense to stress that during the installation, as well as an offer to increase KDF up to 2 mln (as per Bitwarden docs as well).
