A self-destruct option, meaning it will wipe the database after three, five, 10, or 20 failed attempts to input the correct password.
Why? The database is encrypted already.
The password goes through key derivation so it is save against any practical number of attempts. Also a person with access to the platform to be attempting password input, would have access to make a copy of the encrypted vault, so they could just put the file back and get another 20 attempts etc.
Agreed, if someone backed up the device before a self-destruct and restored the device after a self-destruct, they might be able to keep moving forward with a brute force attack. Self-destruct adds to the complexity the same way a strong random password can vs. an using “password”. It adds to the skills needed by the attacker and add time the attacker will need. Both are good for us and bad for the attacker. To add to the complexity do not disclose that one more bad entry will result in the self-destruction, might catch them off guard, backup not performed. Use 5 tries to self-destruct adds to the time needed.
Other password manager have been called out on brute force attack, a link to a recent article (below). We all want Bitwarden to be the best password manager and stand up to the test of time.