search

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.51k stars 267 forks source link

Change KDF according to benchmark #784

Open ghost opened 3 years ago

ghost commented 3 years ago

Is your feature request related to a problem? Please describe. The current default setting is AES-KDF with 6,000 transformation rounds. It is obviously too low without need. For your information, KeePassXC warns the AES-KDF with less than 100,000 transformation rounds.

Describe the solution you'd like KDF: Argon2 (Because all maintained KeePass clients I know have already supported Argon2) Transformation rounds: 1-sec benchmark Memory usage: 32/64MiB (Compatibility with iOS platform) Parallelism: the number of CPU cores

Describe alternatives you've considered Just increase the number of transformation rounds. For example, the Keepass2Android default setting is 500,000. and the previous default value for KeePassXC (now Argon2 and 1sec benchmark) is 1,000,000.

Additional context I don't know if the above setting works well on all supported devices (especially Cortex-A7?), or if they are appropriate for security.

J-Jamet commented 3 years ago

I put it at 500,000 which seems reasonable for an old device. (Galaxy S I9000) I leave the feature open for the automatic generation of the KDF according to a defined time.

ghost commented 3 years ago

The default value of Argon2 memory parameter on both of KeePass and KeePassXC is 64MB now due to KeePass 2.47 update. It might be a good idea for KeePassDX to follow the change.

shuvashish76 commented 4 months ago

https://github.com/Kunzisoft/KeePassDX/issues/1662#issuecomment-1926871990 Can we use OWASP's general recommendation parameters as default setting for KeePassDX? It seems reasonable to me.