Does anyone know how long backups of vaults on Bitwarden’s cloud storage are retained?
and follow up:
If for example I’m concerned that my vault MP may have been compromised, after I rotate the MP is it straightforward to request Bitwarden to delete all of their existing cloud backups for that vault?
thanks
Hi @gwj and welcome to the Community! You may want to take a look at this thread:
I also don’t believe there is a way for Bitwarden to delete your specific vault from a backup.
IMHO, the most important thing is to have a very strong Master Password followed by strong 2FA. Also, it is a good idea to keep your own personal backup of your vault on a Flash Drive and store it in a secure location in case somebody does breach your vault.
Didn’t see anything specific to Bitwarden’s cloud backups in that thread.
As a former Lastpass customer who switched to Bitwarden, LP’s latest breach has highlighted for me a general drawback of hosted password managers (including Bitwarden) which is the lack of visibility into vault backup retention, and inability as an end user to have them nuked.
Master password should still be rotated once in a blue moon no matter how strong it is, and once it’s rotated then you have to start worrying about the old MP still protecting vault backups lingering around cloud storage.
2FA is moot point if/when vaults are stolen from the cloud (r.e. LP).
I’m also an LP refugee, so I understand your concern. Some Bitwarden users self-host so they have absolute control. You might want to consider that as an option.
Just curious, but why?
True, but it definitely helps in the case where somebody acquires your password and only has access to your vault through a browser (no breach).
I guess your third point answers your second one 
For me it’s mainly a peace of mind thing. Suppose a bad actor does somehow get a master password without arousing suspicion, but can’t access the vault without 2FA, so they sit on it. If the MP gets changed every year or two, then the mind can ‘reset’ at that point and not have to worry about anything that took place prior (except for those cloud vault backups).
If no one can answer on this thread Bitwarden’s backup schedule, perhaps emailing support would reveal their retention period of your data once you delete your account. It must be in their documentation somewhere.