PBKDF2 vs. Argon2 — why your KDF matters more than your cipher

In discussions of password manager security, cipher algorithms receive most of the attention. The key derivation function — the algorithm that converts your master password into an encryption key — receives much less. This is the wrong emphasis. Against the most relevant real-world threat for password manager users (offline brute-force on stolen vault data), the KDF and its parameters are more consequential than the cipher choice.

The 2022 LastPass breach put this in concrete terms. Vault backups were stolen. The encrypted credential content was protected by AES-256 — a strong cipher. The master password was protected by PBKDF2 — a KDF. And some accounts, including legacy accounts that hadn't been updated to modern defaults, had PBKDF2 configured with iteration counts as low as 1. At that setting, a GPU can test millions of master password candidates per second. The cipher was fine; the key derivation was not.

Understanding KDFs requires no cryptography background. The question is simple: if an attacker has a copy of your encrypted vault, how many guesses per second can they test against your master password? The KDF algorithm and iteration count determine the answer.

The assumption 'more iterations is always better for PBKDF2' is true in one direction — higher iteration counts slow down brute-force — but misses the more fundamental limitation. PBKDF2 was designed for password hashing when GPU acceleration for cryptographic operations was not practically available. Modern GPUs can perform PBKDF2 operations in highly parallelised batches, making even high iteration counts less protective than they might appear. PBKDF2 at 600,000 iterations on a modern GPU allows thousands of password candidates per second, not millions — but still more than Argon2 at equivalent cost.

A second assumption is that Argon2 is simply 'more modern' without understanding why. Argon2 won the Password Hashing Competition in 2015 specifically because it adds memory hardness to the computational cost of PBKDF2. Testing a password candidate against Argon2 requires not just processor time but a significant amount of RAM. GPU brute-force attacks are expensive in this model because GPUs, despite their parallel compute capacity, have limited per-core memory access. Memory-hard functions reduce the parallelism advantage that GPUs have over sequential computation.

A third assumption is that the KDF setting is chosen by the provider and out of user control. This is partially true — providers set defaults and some enforce minimums. But several providers allow users to configure their KDF. Bitwarden allows switching from PBKDF2 to Argon2id and configuring parameters. This means the KDF protection is not fixed at whatever the provider set; it can be upgraded.

PBKDF2 is widely deployed and was the standard for password-based key derivation for over a decade. At 600,000 iterations (LastPass's current default, Bitwarden's default), it provides meaningful protection against casual brute-force. Against dedicated offline cracking with modern GPU hardware, it is weaker than Argon2 at comparable compute cost, because PBKDF2 lacks memory hardness and benefits significantly from GPU parallelisation.

Argon2 has three variants: Argon2d (resistant to GPU attacks, vulnerable to side-channel), Argon2i (resistant to side-channel, slightly less GPU-resistant), and Argon2id (hybrid, recommended for password hashing). Bitwarden uses Argon2id. Dashlane uses Argon2d. NordPass uses Argon2 (variant not specified in public documentation but described as resistant to GPU attacks). All are meaningfully stronger than PBKDF2 for the offline brute-force threat.

Practical implication: if you are using Bitwarden and haven't changed the KDF settings since your account was created, check your current settings. Bitwarden's default was PBKDF2 for a long time; Argon2id became the recommended option in 2023 but may not have been automatically applied to existing accounts. Switching to Argon2id is a free, non-disruptive upgrade available in account security settings.

KDF strength against offline brute-force is one variable in a complete security model. The master password's entropy — how many possible passwords an attacker must test — is an equally important variable. A strong KDF with a weak master password, and a strong master password with a weak KDF, both leave gaps. Both need to be adequate; the KDF cannot compensate for a guessable password.