What I mean is: As far as I understand it: all the hashing and salting and the large number of iterations will only protect the encrypted form of my password, which is stored on my computer locally and stored on the web vault of bitwarden. But if someone steals the original master password (by keylogging when I login to bitwarden…) and an encrypted copy of my vault (e.g. from an encrypted *.json file), all those hardware security measures are totally irrelevant. And the hardware security key is also irrelevant because the security key will not be needed to decrypt the database itself. The hardware security key will protect me from being phished by accidently clicking on a fake bitwarden webpage and logging in there…
The attack vector of being infected with a trojan or a keylogger is relativly huge and totally realistic in my opinion … a lot lot more realistic than someone really trying to brute force the bitwarden webvault…
And I just don’t get why there seems not to be any option to protect against it and why you for example seem not to see any necessity to protect against it…