How Bitwarden Protects Your Vault with Enhanced Argon2 and KDF iterations

Today we’ll discuss what the key derivation function (KDF) is, learn about the Argon2 key derivation function (KDF) and review KDF iterations. This article is written in plain language and provides a simplified view of part of the Bitwarden encryption model for broader understanding. To go deeper, you can read more in the Bitwarden Security Whitepaper and the help article on encryption.

Your Bitwarden vault is encrypted in a way so that only you have access to the data stored within it. It is secured through complex cryptographic programming and is locked up and inaccessible without its specific master key.

The master key is generated by the key derivation function (KDF). It is a specialized computer algorithm that takes your email address and master password and turns it into a long string of jumbled characters. It isn’t random and will always give the same result with the same inputs and settings, which is ideal for use in encryption.

The initial result from the KDF algorithm will get fed back into itself over and over again for a specified number of times, called KDF iterations, before arriving at the final master key. In February of 2023 Bitwarden increased the default amount of KDF iterations to 600,000 to make it harder for hackers to brute-force attack your vault. More on that is covered later in this article.

The KDF runs directly on your device through all the iterations to generate the master key every time you log into Bitwarden. All the decryption of the vault is done right there within the Bitwarden client and the master key never leaves your device. This is an important part of the Bitwarden zero-knowledge architecture.

Bitwarden now supports two types of KDF algorithms for creating your master key:

1. Argon2 was added to Bitwarden in the February 2023 release. It is a specialized KDF that protects against GPU-based brute-force and side-channel attacks. It increases the memory that a password cracking machine needs for making guesses, which strangles and slows down GPUs.

Bitwarden utilizes the Argon2id version of Argon2, which is recommended by OWASP to provide a balance of protection from the possible attack types. For users that are interested in switching to this KDF, more information and instructions are available in this help article.

Important note: Argon2id is configurable in the web vault and is supported in Bitwarden clients versioned 2023.2.0 and later. Earlier versions will support PBKDF2 only.

2. PBKDF2 with 600,000 iterations is the KDF algorithm used by Bitwarden by default. It is an industry standard recommended by the National Institute of Standards and Technology (NIST) and provides powerful protection.

The KDF plays two important roles. The first is to create a master key suitable for encryption purposes. The second is to impose a processing speed bump for anyone trying to crack into your vault.

When you log in, the Bitwarden client rapidly runs the KDF algorithm and all its iterations in the background to recreate the master key to unlock your vault. Because you’re only doing this once, you would hardly notice your device running this computation. However, a hacker trying to guess your master key would have to make billions or trillions of guesses, and every KDF iteration quickly multiplies the amount of processing power and time required.

With a strong master password and sufficient iterations, it would take more time to guess the master password than there is left in any of our lifetimes.

As computers get more and more powerful, experts recommend increasing amounts of KDF iterations to slow hackers down. In January 2023, the Open Web Application Security Project (OWASP) recommended 600,000 iterations for the PBKDF2 algorithm that Bitwarden uses, and Bitwarden set this as the default for new accounts as of the February 2023 release. Current users who want to make the change immediately should back up their vault and proceed through the steps in this Bitwarden help article.

But why not have millions of iterations? While increasing KDF iterations slows down hackers with specialized computers, older devices can get bogged down when logging in or unlocking your vault, resulting in a poor experience for legitimate users. It should be understood that a longer master password with the default amount of iterations is more secure than a shorter master password with a higher amount of KDF iterations.

A reasonable amount of KDF iterations and a strong, long, unique master password provides the best protection for your vault, providing security even if a hacker somehow obtained the locked and encrypted vault. Read the blog, How long should my password be? for great advice on creating a secure master password!

The KDF algorithm is only one part of the encryption processes that takes place behind the scenes at Bitwarden. If you would like to learn more about how your vault is secured, read the help article on encryption, the Bitwarden Security Whitepaper, or even experiment on the interactive cryptography page.

Check out the Password Strength Testing Tool and the Strong Password Generator for help in creating strong passwords.

Visit bitwarden.com today to learn more about password management, plans, pricing, and how Bitwarden can help you keep your logins and other sensitive data secure!