agent92 Posted January 19, 2023 Report Posted January 19, 2023 (edited) Is it possible to set the PBKDF2 iteration count in Enpass? I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations. OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html Edited January 19, 2023 by agent92 1
chants92 Posted January 20, 2023 Report Posted January 20, 2023 4 hours ago, agent92 said: Is it possible to set the PBKDF2 iteration count in Enpass? I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations. OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html This is a great question given that other password managers allow this value to be changed in settings.
agent92 Posted January 20, 2023 Author Report Posted January 20, 2023 To start with it would be nice to just see the current iteration count in the app, meaning it actually checks it against the vault not just pulling it from the KB I just get worried since my vault is old and I know that Lastpass did not update their old vaults to the updated iteration count. Would not be very good if I was still at 24K iterations in this day and age. I know you can't have it super high as standard because of older devices but if they let me set it I could adapt it to the capabilities of my devices.
Abhishek Dewan Posted January 20, 2023 Report Posted January 20, 2023 Hi @agent92 @chants92 Enpass encrypts your data (including all your Vaults) using 256-bit AES encryption, using the peer-reviewed, open-source encryption engine SQLCipher, and 100,000 rounds of PBKDF2-HMAC-SHA512 encoding. Regarding your request for custom PBKDF2 iteration count, I have forwarded it to our dedicated team for further consideration. Your patience in the meantime is appreciated. #SI-3250
agent92 Posted January 20, 2023 Author Report Posted January 20, 2023 What about old vaults? Have they been upgraded to 100K rounds?
Abhishek Dewan Posted January 23, 2023 Report Posted January 23, 2023 Hi @agent92 The old vaults were upgraded by Enpass V6. If you are using Enpass version V6, then your vault is using 100K iterations. It does not matter if you have created the original vault years ago. The backup files by Enpass 5 or lower have the 24K iterations. Please remove old backup files. Also, consider more randomness to your master password by using a Keyfile. It will be much more effective than any protection offered by a higher number of iterations.
Jos Berkers Posted January 25, 2023 Report Posted January 25, 2023 Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass! How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum. 3
agent92 Posted January 25, 2023 Author Report Posted January 25, 2023 It's good that current vaults where upgraded to 100K but we do need the ability to set our own iteration count. 1
MrElectrifyer Posted January 28, 2023 Report Posted January 28, 2023 On 1/25/2023 at 6:35 AM, Jos Berkers said: Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass! How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum. Thanks for shearing that informative article @Jos Berkers. Hopefully the Enpass team offer up a solution ASAP to this concern. 2
Myna Posted October 5, 2023 Report Posted October 5, 2023 On 10/4/2023 at 1:34 PM, Specter said: Are there any updates on this topic? A couple of months back, it was increased from 100K to 320K.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now