Bitwarden design flaw: Server side iterations #3162
Replies: 4 comments 33 replies
-
In vaultwarden you can find your current settings (server side) under "/admin" or you can check the config.json for it's current value and change it there (it is actually the same place /admin == config.json). Or you can set it in the .env (https://github.com/dani-garcia/vaultwarden/blob/main/.env.template) However my question would be - how can we tackle the user settings? Is there a way in vaultwarden to manipulate the default user creation skelleton and set the value to let's say 600k (and yes - I know about the compatibility issues with old devices) |
Beta Was this translation helpful? Give feedback.
-
The client-side iterations are defined in the client. So, that would be the web-vault, or any other client which is able to create an account. |
Beta Was this translation helpful? Give feedback.
-
EDIT: Removed my dirty hack, since it was not working as expected and caused account logout - don't apply! |
Beta Was this translation helpful? Give feedback.
-
sorry im confused a little with password iterations, in bitwarden site i found they have 600000 on server side + 100000 on client side . |
Beta Was this translation helpful? Give feedback.
-
There was just an article posted on HN regarding this server side iteration being too low in bitwarden: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/
What are the server side iterations set too in vaultwarden? The client default appears to be 100k which I guess should be higher as well since OWASP just changed the recommendation to 600k
HN: discussion: https://news.ycombinator.com/item?id=34497898
Beta Was this translation helpful? Give feedback.
All reactions