Jump to content
Enpass Discussion Forum

Custom PBKDF2 iteration count


agent92
 Share

Recommended Posts

Is it possible to set the PBKDF2 iteration count in Enpass?

I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm

But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations.

OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Edited by agent92
  • Like 1
Link to comment
Share on other sites

4 hours ago, agent92 said:

Is it possible to set the PBKDF2 iteration count in Enpass?

I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm

But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations.

OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

This is a great question given that other password managers allow this value to be changed in settings.

Link to comment
Share on other sites

To start with it would be nice to just see the current iteration count in the app, meaning it actually checks it against the vault not just pulling it from the KB :D

I just get worried since my vault is old and I know that Lastpass did not update their old vaults to the updated iteration count. Would not be very good if I was still at 24K iterations in this day and age.

I know you can't have it super high as standard because of older devices but if they let me set it I could adapt it to the capabilities of my devices.

Link to comment
Share on other sites

Hi @agent92 @chants92

Enpass encrypts your data (including all your Vaults) using 256-bit AES encryption, using the peer-reviewed, open-source encryption engine SQLCipher, and 100,000 rounds of PBKDF2-HMAC-SHA512 encoding.

Regarding your request for custom PBKDF2 iteration count, I have forwarded it to our dedicated team for further consideration. Your patience in the meantime is appreciated.

#SI-3250

Link to comment
Share on other sites

Hi @agent92

The old vaults were upgraded by Enpass V6. If you are using Enpass version V6, then your vault is using 100K iterations. It does not matter if you have created the original vault years ago.

The backup files by Enpass 5 or lower have the 24K iterations. Please remove old backup files. Also, consider more randomness to your master password by using a Keyfile. It will be much more effective than any protection offered by a higher number of iterations.

Link to comment
Share on other sites

On 1/25/2023 at 6:35 AM, Jos Berkers said:

Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass!

How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum.

Thanks for shearing that informative article @Jos Berkers. Hopefully the Enpass team offer up a solution ASAP to this concern.

  • Like 2
Link to comment
Share on other sites

  • 8 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...