Is it possible to set the PBKDF2 iteration count in Enpass?

I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm

But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations.

OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Edited January 19, 20233 yr by agent92

4 hours ago, agent92 said:

Is it possible to set the PBKDF2 iteration count in Enpass?

I can see here it's set to 100K: https://support.enpass.io/app/kb/data_security_and_encryption_in_enpass.htm

But is it like that for all vaults? My vault is several years old and I've seen old forum threads where it says it used to be 24K iterations.

OWASP recommends 120K iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

This is a great question given that other password managers allow this value to be changed in settings.

To start with it would be nice to just see the current iteration count in the app, meaning it actually checks it against the vault not just pulling it from the KB

I just get worried since my vault is old and I know that Lastpass did not update their old vaults to the updated iteration count. Would not be very good if I was still at 24K iterations in this day and age.

I know you can't have it super high as standard because of older devices but if they let me set it I could adapt it to the capabilities of my devices.

Hi @agent92 @chants92

Enpass encrypts your data (including all your Vaults) using 256-bit AES encryption, using the peer-reviewed, open-source encryption engine SQLCipher, and 100,000 rounds of PBKDF2-HMAC-SHA512 encoding.

Regarding your request for custom PBKDF2 iteration count, I have forwarded it to our dedicated team for further consideration. Your patience in the meantime is appreciated.

#SI-3250

What about old vaults? Have they been upgraded to 100K rounds?

Hi @agent92

The old vaults were upgraded by Enpass V6. If you are using Enpass version V6, then your vault is using 100K iterations. It does not matter if you have created the original vault years ago.

The backup files by Enpass 5 or lower have the 24K iterations. Please remove old backup files. Also, consider more randomness to your master password by using a Keyfile. It will be much more effective than any protection offered by a higher number of iterations.

Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass!

How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum.

It's good that current vaults where upgraded to 100K but we do need the ability to set our own iteration count.

On 1/25/2023 at 6:35 AM, Jos Berkers said:

Unfortunately, 100,000 iterations is no longer considered sufficient. See: https://palant.info/2023/01/23/bitwarden-design-flaw-server-side-iterations/ and recent hack at Lastpass!

How can I increase this myself in Enpass to 600,000 iterations? Which is currently considered a safe minimum.

Thanks for shearing that informative article @Jos Berkers. Hopefully the Enpass team offer up a solution ASAP to this concern.

Are there any updates on this topic?

On 10/4/2023 at 1:34 PM, Specter said:

Are there any updates on this topic?

A couple of months back, it was increased from 100K to 320K.