agent92 Posted January 19, 2023 Report Share Posted January 19, 2023 (edited) Is it possible to set the PBKDF2 iteration count in Enpass? I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations. OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html Edited January 19, 2023 by agent92 1 Link to comment Share on other sites More sharing options...
chants92 Posted January 20, 2023 Report Share Posted January 20, 2023 4 hours ago, agent92 said: Is it possible to set the PBKDF2 iteration count in Enpass? I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations. OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html This is a great question given that other password managers allow this value to be changed in settings. Link to comment Share on other sites More sharing options...
agent92 Posted January 20, 2023 Author Report Share Posted January 20, 2023 To start with it would be nice to just see the current iteration count in the app, meaning it actually checks it against the vault not just pulling it from the KB I just get worried since my vault is old and I know that Lastpass did not update their old vaults to the updated iteration count. Would not be very good if I was still at 24K iterations in this day and age. I know you can't have it super high as standard because of older devices but if they let me set it I could adapt it to the capabilities of my devices. Link to comment Share on other sites More sharing options...
Abhishek Dewan Posted January 20, 2023 Report Share Posted January 20, 2023 Hi @agent92 @chants92 Enpass encrypts your data (including all your Vaults) using 256-bit AES encryption, using the peer-reviewed, open-source encryption engine SQLCipher, and 100,000 rounds of PBKDF2-HMAC-SHA512 encoding. Regarding your request for custom PBKDF2 iteration count, I have forwarded it to our dedicated team for further consideration. Your patience in the meantime is appreciated. #SI-3250 Link to comment Share on other sites More sharing options...
agent92 Posted January 20, 2023 Author Report Share Posted January 20, 2023 What about old vaults? Have they been upgraded to 100K rounds? Link to comment Share on other sites More sharing options...
Abhishek Dewan Posted January 23, 2023 Report Share Posted January 23, 2023 Hi @agent92 The old vaults were upgraded by Enpass V6. If you are using Enpass version V6, then your vault is using 100K iterations. It does not matter if you have created the original vault years ago. The backup files by Enpass 5 or lower have the 24K iterations. Please remove old backup files. Also, consider more randomness to your master password by using a Keyfile. It will be much more effective than any protection offered by a higher number of iterations. Link to comment Share on other sites More sharing options...
Jos Berkers Posted January 25, 2023 Report Share Posted January 25, 2023 Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass! How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum. 3 Link to comment Share on other sites More sharing options...
agent92 Posted January 25, 2023 Author Report Share Posted January 25, 2023 It's good that current vaults where upgraded to 100K but we do need the ability to set our own iteration count. 1 Link to comment Share on other sites More sharing options...
MrElectrifyer Posted January 28, 2023 Report Share Posted January 28, 2023 On 1/25/2023 at 6:35 AM, Jos Berkers said: Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass! How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum. Thanks for shearing that informative article @Jos Berkers. Hopefully the Enpass team offer up a solution ASAP to this concern. 2 Link to comment Share on other sites More sharing options...
Specter Posted October 4, 2023 Report Share Posted October 4, 2023 Are there any updates on this topic? Link to comment Share on other sites More sharing options...
Myna Posted October 5, 2023 Report Share Posted October 5, 2023 On 10/4/2023 at 1:34 PM, Specter said: Are there any updates on this topic? A couple of months back, it was increased from 100K to 320K. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now