Bitwarden PINs can be brute-forced

[0xdeafbeef]

You can use pbdkf2 with 200k iterations or argon2 to derive key from pin

[gengkev]

Suppose it takes 2 seconds of 100% cpu usage to compute the password hash (you probably wouldn't want to wait much longer).

Then brute forcing a 4 digit PIN will take 20000 seconds ≈ 6 hours maximum. There's no way around that, no matter what hash function you use.

[benatkin]

In that case make it take a week to unlock your password store, then it will take 200 years to unlock it!

[TJSomething]

An Nvidia RTX 4090 can crack a 4 digit pin using PBKDF2 with 200k iterations in less than a quarter of a second. Argon2 is definitely the better option, but even at 1 hash per second, that's less 3 hours.

[barsonme]

This has very limited benefit for weak passcodes, like PINs.

[chrisandchris]

Which will still be ... nothing?

> [...] As a comparison baseline, a 2.4 GHz Core2 CPU can perform about 2.3 millions of elementary SHA-256 computations per second (with a single core), so this would imply, on that CPU, about 20000 rounds to achieve the "8 milliseconds" goal.

So you'll need something that takes at least as long as entering your full password, at which point you basically could enter the full password (from a UX perspective). They PIN is here to make it faster and it will always be security vs. ease-of-use.

[1] https://security.stackexchange.com/questions/3959/recommende...