starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #5109] KDF values shown wrong in webvault, also warning popup is wrong (2 problems) #2074

New issue
Closed
opened 2026-03-03 02:15:07 +03:00 by kerem · 8 comments
kerem commented 2026-03-03 02:15:07 +03:00
Owner
Copy link

Originally created by @rdslw on GitHub (Oct 19, 2024).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5109

Vaultwarden Build Version

v1.32.2

Deployment method

Other method

Custom deployment method

personalized docker container

Reverse Proxy

none

Host/Server Operating System

Linux

Clients

Web Vault

Client Version

firefox 131.0.3

Steps To Reproduce

  1. change KDF to non default, and i.e. 700007 while being on 1.2* version
  2. update container to 1.32.* from below and restart
  3. login, see first bug: brown popup saying: "Low KDF iterations. Increase your iterations to improve the security of your account. Change KDF settings "
  4. go to 'change KDF setting' panel, and see '100000', (see sqlite verification)
  5. while beeing at panel, change type to argon, do not change anything
  6. change back to PBKDF2, and see '600000' -> second bug as I did not change anything, just switched tabs.

Expected Result

  1. no popup
  2. proper KDF 700007
  3. no change in KDF displayed upon switching KDF types back & forth

Actual Result

sqlite> select email,password_iterations from users;
x1@x1|100000
x2@x2|700007
x3@x3|700007

Above steps used login x2.
Login x3 also shows bug no 2 (wrong value upon type switching), while there was popup, but was dismissed and does not appear again, ALTHOUGH kdf was not changed.

I'm not sure in which version it happenes.

Logs

No response

Screenshots or Videos

No response

Additional Context

No response

Originally created by @rdslw on GitHub (Oct 19, 2024). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5109 ### Vaultwarden Build Version v1.32.2 ### Deployment method Other method ### Custom deployment method personalized docker container ### Reverse Proxy none ### Host/Server Operating System Linux ### Clients Web Vault ### Client Version firefox 131.0.3 ### Steps To Reproduce 1. change KDF to non default, and i.e. 700007 while being on 1.2* version 2. update container to 1.32.* from below and restart 3. login, see **first bug**: brown popup saying: "Low KDF iterations. Increase your iterations to improve the security of your account. Change KDF settings " 4. go to 'change KDF setting' panel, and see '100000', (see sqlite verification) 5. while beeing at panel, change type to argon, do not change anything 6. change back to PBKDF2, and see '600000' -> **second bug** as I did not change anything, just switched tabs. ### Expected Result 1. no popup 2. proper KDF 700007 3. no change in KDF displayed upon switching KDF types back & forth ### Actual Result sqlite> select email,password_iterations from users; x1@x1|100000 x2@x2|700007 x3@x3|700007 Above steps used login x2. Login x3 also shows bug no 2 (wrong value upon type switching), while there was popup, but was dismissed and does not appear again, ALTHOUGH kdf was not changed. I'm not sure in which version it happenes. ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context _No response_
kerem 2026-03-03 02:15:07 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 19, 2024):

Not sure what we can do here. Vaultwarden stores what it receives.
I find the steps a bit strange but will try to reproduce it.

Are you sure you didn't mixed and the Vaultwarden KDF settings with the account KDF settings? Those are two totally different items.

<!-- gh-comment-id:2423941676 --> @BlackDex commented on GitHub (Oct 19, 2024): Not sure what we can do here. Vaultwarden stores what it receives. I find the steps a bit strange but will try to reproduce it. Are you sure you didn't mixed and the Vaultwarden KDF settings with the account KDF settings? Those are two totally different items.
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@rdslw commented on GitHub (Oct 19, 2024):

Thanks for fast reply.

  1. as to reproducability: problem no2 (webvault shows different values just on clicking PKDF2 vs argon type) shall be easy to reproduce, as it happens on newest v1.32.2. Can provide short video here if interested to see it.

  2. As to the problem no1 (different value in sqlite users table vs what webvault shows) and popup warning -> I'm not sure when it started, probably earlier. while on v1.3?.*

  3. I understand that users table, and webavult (settings -> security -> keys) both shows account KDF settings. Am I correct?

  4. where can I check/see Vaultwarden KDF settings? config.json + /admin ?

<!-- gh-comment-id:2423945418 --> @rdslw commented on GitHub (Oct 19, 2024): Thanks for fast reply. 1. as to reproducability: problem no2 (webvault shows different values just on clicking PKDF2 vs argon type) shall be easy to reproduce, as it happens on newest v1.32.2. Can provide short video here if interested to see it. 2. As to the problem no1 (different value in sqlite users table vs what webvault shows) and popup warning -> I'm not sure when it started, probably earlier. while on v1.3?.* 3. I understand that users table, and webavult (settings -> security -> keys) both shows account KDF settings. Am I correct? 4. where can I check/see Vaultwarden KDF settings? config.json + /admin ?
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 19, 2024):

Also the kdf can't change without user interaction. Else you wouldn't be able to login again anymore.

<!-- gh-comment-id:2423945652 --> @BlackDex commented on GitHub (Oct 19, 2024): Also the kdf can't change without user interaction. Else you wouldn't be able to login again anymore.
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 19, 2024):

The Vaultwarden kdf is visible in the admin settings

<!-- gh-comment-id:2423948293 --> @BlackDex commented on GitHub (Oct 19, 2024): The Vaultwarden kdf is visible in the admin settings
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@rdslw commented on GitHub (Oct 19, 2024):

ok, so what I'm seeing is relevant to the account KDF settings.

To summarize:

problem 1: popup shows, even if KDF settings (as verified in sqlite) are 700007

problem 2: values shown for KDF settings are wrong (settings -> security -> keys)

a. I have 700007 as sqlite shows
b. go to the settings>security>keys: I see there 100000 as current KDF
c. while being there, change PBKDF2 to argontype, and back (NB: just clicking, no clicking 'change kdf' button.
d. KDF shows 600000 (vaultwarden default)

<!-- gh-comment-id:2423995892 --> @rdslw commented on GitHub (Oct 19, 2024): ok, so what I'm seeing is relevant to the account KDF settings. To summarize: problem 1: popup shows, even if KDF settings (as verified in sqlite) are 700007 problem 2: values shown for KDF settings are wrong (settings -> security -> keys) a. I have 700007 as sqlite shows b. go to the settings>security>keys: I see there 100000 as current KDF c. while being there, change PBKDF2 to argontype, and back (NB: just clicking, no clicking 'change kdf' button. d. KDF shows 600000 (vaultwarden default)
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 19, 2024):

Again, which column are you looking at? Since I am not able to reproduce this at all using the steps you mentioned.

I have done the following.
For the database i used this query:

SELECT uuid, password_iterations, client_kdf_type, client_kdf_iter, client_kdf_memory, client_kdf_parallelism FROM users
  1. Started Vaultwarden 1.20.0 (The very first v1.2* version):
    docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 docker.io/bitwardenrs/server:1.20.0
  2. Created a user and checked the database
    Account-Created_1 20 0_100_000
  3. Updated the KDF Settings and checked the database
    Account-Updated_1 20 0_700_007
  4. Upgraded Vaultwarden to 1.32.2:
    docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.32.2
  5. Checked the settings and database
    Account-VW-Upgrade_1 20 0-1 32 2

Database results:

version uuid password_iterations client_kdf_type client_kdf_iter client_kdf_memory client_kdf_parallelism
v1.20.0 5ce61ca9-9694-40ee-bac2-017851ff8637 100000 0 100000 - -
v1.20.0 5ce61ca9-9694-40ee-bac2-017851ff8637 100000 0 700007 - -
v1.32.2 5ce61ca9-9694-40ee-bac2-017851ff8637 600000 0 700007 NULL NULL

I Did the same but then started from v1.29.2 which is the last v1.2* verison.

  1. docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.29.2
  2. Account-Created_1 29 0_600_000
  3. Account-Updated_1 29 0_700_007
  4. docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.32.2
  5. Account-VW-Upgrade_1 29 0-1 32 2

Database results:

version uuid password_iterations client_kdf_type client_kdf_iter client_kdf_memory client_kdf_parallelism
v1.29.0 cd1b2ee6-aac0-4345-a1a6-20946df19c4d 600000 0 600000 NULL NULL
v1.29.0 cd1b2ee6-aac0-4345-a1a6-20946df19c4d 600000 0 700007 NULL NULL
v1.32.2 cd1b2ee6-aac0-4345-a1a6-20946df19c4d 600000 0 700007 NULL NULL
<!-- gh-comment-id:2424070638 --> @BlackDex commented on GitHub (Oct 19, 2024): Again, which column are you looking at? Since I am not able to reproduce this at all using the steps you mentioned. I have done the following. For the database i used this query: ```sql SELECT uuid, password_iterations, client_kdf_type, client_kdf_iter, client_kdf_memory, client_kdf_parallelism FROM users ``` 1. Started Vaultwarden 1.20.0 (The very first v1.2* version): `docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 docker.io/bitwardenrs/server:1.20.0` 2. Created a user and checked the database ![Account-Created_1 20 0_100_000](https://github.com/user-attachments/assets/78601bd9-2cea-42e1-bb17-c89f4e57a482) 3. Updated the KDF Settings and checked the database ![Account-Updated_1 20 0_700_007](https://github.com/user-attachments/assets/f7daba58-8e04-4e5c-a15a-86e54c10f074) 4. Upgraded Vaultwarden to 1.32.2: `docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.32.2` 5. Checked the settings and database ![Account-VW-Upgrade_1 20 0-1 32 2](https://github.com/user-attachments/assets/482174a3-93b1-405a-b016-5a042f8442f1) Database results: |version|uuid|password_iterations|client_kdf_type|client_kdf_iter|client_kdf_memory|client_kdf_parallelism| |-------|----|-------------------|---------------|---------------|-----------------|----------------------| |v1.20.0|5ce61ca9-9694-40ee-bac2-017851ff8637|100000|0|100000|-|-| |v1.20.0|5ce61ca9-9694-40ee-bac2-017851ff8637|100000|0|700007|-|-| |v1.32.2|5ce61ca9-9694-40ee-bac2-017851ff8637|600000|0|700007|NULL|NULL| I Did the same but then started from v1.29.2 which is the last v1.2* verison. 1. `docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.29.2 ` 2. ![Account-Created_1 29 0_600_000](https://github.com/user-attachments/assets/88a24111-f563-4378-9e97-c80f332dbae3) 3. ![Account-Updated_1 29 0_700_007](https://github.com/user-attachments/assets/aca76b93-7594-48be-a3c4-9cea8eba390d) 4. `docker run -it -e DISABLE_ADMIN_TOKEN=true -v "${PWD}/tmp:/data" -p8080:80 ghcr.io/dani-garcia/vaultwarden:1.32.2` 5. ![Account-VW-Upgrade_1 29 0-1 32 2](https://github.com/user-attachments/assets/0c129fe8-651e-4939-a358-8a6588e9bbf5) Database results: |version|uuid|password_iterations|client_kdf_type|client_kdf_iter|client_kdf_memory|client_kdf_parallelism| |-------|----|-------------------|---------------|---------------|-----------------|----------------------| |v1.29.0|cd1b2ee6-aac0-4345-a1a6-20946df19c4d|600000|0|600000|NULL|NULL| |v1.29.0|cd1b2ee6-aac0-4345-a1a6-20946df19c4d|600000|0|700007|NULL|NULL| |v1.32.2|cd1b2ee6-aac0-4345-a1a6-20946df19c4d|600000|0|700007|NULL|NULL|
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@rdslw commented on GitHub (Oct 19, 2024):

I was originally looking at passwords_iterations column.

Here is result of your query run now.
sqlite> SELECT uuid, password_iterations, client_kdf_type, client_kdf_iter, client_kdf_memory, client_kdf_parallelism FROM users
...> ;
X1..e3|100000|0|100000||
X2..12|700007|0|900009||
X3..e4|700007|0|100000||

Looks like problem no1 was my mistake of X2 vs X3 user, which with problem no2 make me no trusting values shown. sorry for that.
shall probably change issue title to "KDF values shown wrong in webavult upon selecting different algo type"

Looks like only problem 2 exists, on both users (X2 and X3).

How to reproduce:

  1. use current version v1.32.2

  2. login to webavaul

  3. go to settings/security/keys, see:
    Screenshot 2024-10-19 19 45 22+02 00

  4. switch algorithm type to argon, DO NOT click button 'change kdf', see:
    Screenshot 2024-10-19 19 46 07+02 00

  5. switch again algorithm type to PBKDF2, see wrong iterations:
    Screenshot 2024-10-19 19 46 50+02 00

problem no2 visible here: iterations is now 600000 while was 100000 on step 3. User iterations is 100000.

<!-- gh-comment-id:2424106702 --> @rdslw commented on GitHub (Oct 19, 2024): I was originally looking at passwords_iterations column. Here is result of your query run now. sqlite> SELECT uuid, password_iterations, client_kdf_type, client_kdf_iter, client_kdf_memory, client_kdf_parallelism FROM users ...> ; X1..e3|100000|0|100000|| X2..12|700007|0|900009|| X3..e4|700007|0|100000|| Looks like problem no1 was my mistake of X2 vs X3 user, which with problem no2 make me no trusting values shown. sorry for that. shall probably change issue title to "KDF values shown wrong in webavult upon selecting different algo type" Looks like only problem 2 exists, on both users (X2 and X3). How to reproduce: 1. use current version v1.32.2 2. login to webavaul 3. go to settings/security/keys, see: ![Screenshot 2024-10-19 19 45 22+02 00](https://github.com/user-attachments/assets/4aee3d9a-d294-4f3d-908c-c4451a44a4f0) 4. switch algorithm type to argon, DO NOT click button 'change kdf', see: ![Screenshot 2024-10-19 19 46 07+02 00](https://github.com/user-attachments/assets/51fa429f-a53e-44bf-a413-43c496c881cb) 5. switch again algorithm type to PBKDF2, see wrong iterations: ![Screenshot 2024-10-19 19 46 50+02 00](https://github.com/user-attachments/assets/0c51e75b-bc54-46e5-8f7d-98412df67b7f) **problem no2 visible here**: iterations is now 600000 while was 100000 on step 3. User iterations is 100000.
kerem commented 2026-03-03 02:15:08 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 19, 2024):

Well, that seems like a UI client issue, and it shows the default recommend value. If you do not click on save then it will still be 100_000 unless you save of course.

As this is a web-vault/client issue, and this project does not maintain or develop those, it's not something we can fix (easily).

If anything, I would suggest to check and verify if this also happens on the Bitwarden Cloud environment, if so, report this in there client repo on GitHub. Else it might be fixed already in a version newer than v2024.6.2, which Vaultwarden does not (yet) support.

As this is a client issue, I'm going to move this to a discussion.

<!-- gh-comment-id:2424108965 --> @BlackDex commented on GitHub (Oct 19, 2024): Well, that seems like a UI client issue, and it shows the default recommend value. If you do not click on save then it will still be 100_000 unless you save of course. As this is a web-vault/client issue, and this project does not maintain or develop those, it's not something we can fix (easily). If anything, I would suggest to check and verify if this also happens on the Bitwarden Cloud environment, if so, report this in there client repo on GitHub. Else it might be fixed already in a version newer than v2024.6.2, which Vaultwarden does not (yet) support. As this is a client issue, I'm going to move this to a discussion.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#2074
No description provided.