Yellow Flag

It seems that the OWASP recommendations for PBKDF2 iterations were two years old and based on the previous generation of graphics cards. One hour ago they were updated to consider current graphics cards: https://github.com/OWASP/CheatSheetSeries/pull/1055

So the recommendation for #LastPass and #Bitwarden is now 600,000 iterations. #1Password is not affected, its secret key feature changes the calculation considerably.

Update PBKDF2 work factors according to RTX4000 #1043 by oddcb · Pull Request #1055 · OWASP/CheatSheetSeries

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series. 🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the is...

GitHub
Jan 23, 2023 at 8:18pmWeb
Show threadPatricJan 23, 2023
@WPalant
Looks like I need to check my #bitwarden settings.
Show threadAdam KatzJan 23, 2023

@WPalant IIRC 1Password's solution, that secret key, is designed for vendor lock-in. If you stop posting for your subscription, you're locked out.

@bitwarden et al are waiting for JS hooks that implement Argon2, so it's up to @mozilla, @google, and #OpenJSF (Electron).

Show threadYellow FlagJan 23, 2023

@adamhotep I don’t think I get your point about the secret key and subscription.

No, #Bitwarden doesn’t need the browser to implement Argon2. They’ve been using Argon2 performance as an excuse, but efficient WASM implementations exist. And that’s exactly what they are working on right now – there is a pull request that will hopefully be merged soon.

Show threadAdam KatzJan 23, 2023

@WPalant Great news for Bitwarden!

I thought 1Password locked their vaults in the cloud (using the aforementioned secret key). Access requires an active subscription and an active internet connection. Maybe I'm off base, I won't use them due to having acceptable F/OSS options.

Show threadYellow FlagJan 23, 2023
@adamhotep No, the secret key is the user’s secret used to decrypt their data. It stays on their device(s). It is completely unrelated to any subscriptions.
Show threadAdam KatzJan 23, 2023
@WPalant ah, gotcha. That'll still tether you to your devices, but it sounds quite reasonable for anybody who has multiple devices and/or (securely) backs up their data.
Show threadBen Montour Jan 24, 2023
@WPalant @adamhotep also, to clarify. If your subscription expires you’re not locked out. You still have full access to your vault. You are just prevented from adding new entries. I asked them this very questions long ago for clarification.