Sc00bzYou may have seen this paper (https://eprint.iacr.org/2026/058.pdf), but it's not all doom and gloom the authors got a few things incorrect (2 out of 3 of the things I looked for). Like Bitwarden having a downgrade attack all the way down to 1 iteration of PBKDF2 but it's 5000. Also 1Password does not have a downgrade attack because they use a PAKE.
Bonus this is just so fucking stupid: "PROPOSED MITIGATION. The attack has limited impact, but it would be easy for 1Password to prevent it entirely: the secret key can be used (with proper key derivation) to authenticate the KDF parameters with a cryptographic MAC."... wait do they know about 1Password's "secret key" (previous names were "device key" and "account key"). OK if they do then not completely stupid, but still stupid because a stolen device now gives you offline vs online password guessing and removes the post compromised mitigations. Anyway others might look at that and go "let's to that" and they'll end up giving everyone a hash of your password to crack offline.
Dmitry Chestnykh ☮️@sc00bz Haha, that's exactly what happened — I once read a publicly available security audit of an encrypted notetaking app and found this
@dchest They also suggest this for Bitwarden and LastPass. So it's exactly the same as that.
"Further, authenticating security-critical user settings like PBKDF parameters (such as the iteration count) would mitigate the KDF attacks (BW07, LP04). The client can use the server-provided KDF parameters to derive the authentication key, use it to verify the integrity of the parameters themselves, and – in case of a mismatch – abort before any further communication with the server."