Server: Argon2 memory-hard key derivation function for master password

Created on 11 Mar 2017  路  4Comments  路  Source: bitwarden/server

One of the limitation of PBKDF2 is that it depends on many iteration of hashing to slow down computation. That isn't as effective a defense against password guessing when you factor in that it is possible for someone to build an ASIC or even GPU that can try multiple combinations simultaneously. The problem with ASIC sort of attack is that they don't have that much memory for each combination they could try in parallel. This is why some of the more recent password hashing algorithms -- including the PHC password hashing winner Argon2 do not rely on only iterations but also requiring a good amount of memory for each key derivation. Bottom line: Argon2 is not just CPU-hard, but also memory-hard. This is also true for another popular key derivation function scrypt which kind of inspired the idea of having the PHC competition in the first place.

Most helpful comment

Thanks for the feedback.

I am aware of Argon2 and it's benefits over PBKDF2, however, since bitwarden is a cross-platform application that is written on many different languages/frameworks we must use an algorithm that is a standard. PBKDF2 has native implementations on all platforms that we deal with. Argon2 is relatively young and is not yet widely implemented. If we were to use Argon2 we would have to rely on unproven third-party libraries.

All 4 comments

Thanks for the feedback.

I am aware of Argon2 and it's benefits over PBKDF2, however, since bitwarden is a cross-platform application that is written on many different languages/frameworks we must use an algorithm that is a standard. PBKDF2 has native implementations on all platforms that we deal with. Argon2 is relatively young and is not yet widely implemented. If we were to use Argon2 we would have to rely on unproven third-party libraries.

We are moving away from tracking Bitwarden feature requests like this one as GitHub issues. We have created a Bitwarden Community Forum which has a section for submitting, voting for, and discussing product feature requests.

Please sign up on our forums, search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked.

This issue will now be closed. Thanks!

I am aware of Argon2 and it's benefits over PBKDF2, however, since bitwarden is a cross-platform application that is written on many different languages/frameworks we must use an algorithm that is a standard. PBKDF2 has native implementations on all platforms that we deal with. Argon2 is relatively young and is not yet widely implemented. If we were to use Argon2 we would have to rely on unproven third-party libraries.

Your application relies on unproven first-party libraries. There are quality implementations for Argon2 that have comprehensive test suites for every platform on which Bitwarden runs. This is handwaving.

The Argon2 libraries you reject have far better review processes and test coverage than Bitwarden itself.

I've created a (planned to be temporary) fork at https://github.com/michaelsmoody/bitwarden-jslib-argon2. If you would like access to help move to Argon2, let me know. The goal is simply to do the work, and create a PR for upstream, rather than being a permanent fork.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

marcrib picture marcrib  路  5Comments

mr-gosh picture mr-gosh  路  3Comments

Sx3 picture Sx3  路  4Comments

yureiita picture yureiita  路  3Comments

chasgames picture chasgames  路  4Comments