Yes. It also means that there is no “backup database” that an attacker could steal. At worst, an attacker who breaks into Microsoft’s backup servers would acquire a transaction record containing the old master password hash and the old protected key (at this point, it is not clear that they would even have access to the email address that is used as a salt in the hashing process). Even if they were able to brute-force the (old) master password and extract your account encryption key, the attacker would have to successfully breach a different server (or one of your local devices) to acquire a copy of your encrypted vault before they could access your secrets.
I think this also demonstrates that Bitwarden’s decision to use Azure’s managed services was correct, because it allows Bitwarden to take advantages of Azure’s security best practices thus freeing up Bitwarden developers’ time to concentrate on product development.
Yes they do, but it happens in an incremental way so it is slightly safer than full backups. However, you should assume that somebody will eventually steal the Bitwarden Vaults from Bitwarden. This leads me to your next question which is…
The answer is yes, which means it is absolutely critical that you create a strong Master Password and store a written copy in a secure location. The strong Master Password is what is ultimately securing your data in your vault.
There is no backup vault to steal. There are records of individual database transactions that have resulted in changes to the vault data, and even then, these records are only stored only for a week.
At least this is my current understanding of the documentation. I may research it further at some point, or perhaps someone who has greater familiarity with the Azure framework will chime in.
@RogerDodger is right: Use a generator to create a passphrase of 5-7 randomly selected words for your master password, and you’ll be safe even if you were to give out vault copies on USB drives like candy.
Thanks to both RogerDodger and Grb. I now understand better what is meant by the incremental backup approach and how it limits significantly the issues connected with a potential hack. I already have a passphrase that is of the suggested size and complexity. I really do appreciate the willingness of both of you to help further my knowledge in this area.
As per my off the top understanding of BW documentation and Microsoft documentation , backups of vault are kept but the vault data of only upto 7 days earlier can be replicated and any transactional logs older than that are not retained.
Backups of vault would be important to safeguard against any denial of service or incase a bad actor tried to wipe users data from bitwarden servers. Loss of all users data would bring more damage in general than an attacker trying to bruteforce a single users data.
Therefore its in users benefit to keep backups of vault.