If an attacker finds an encrypted JSON in the old format where the file only works for my current BW account, then even if they somehow know the password, they are unable to do anything with it unless they know also my BW account e-mail address. Correct? Additionally, I can render useless that backup by rotating the encryption key.
With the new format, they can use the JSON with any account, so it is easier for an attacker to benefit from one of those backups.
To remedy this, I use for those new encrypted JSON backups an even stronger password than I use for my BW master pass. After all, this is disaster recovery, so I hope never to have to enter that password anyway, so its additional length is rather irrelevant. I find it trivially easily to print out multiple copies of an important password and store it in multiple locations. Takes up very little space.
Currently I back up my vault using both methods.
One thing of note also. I’ve recently upgraded my Argon settings. That means my old backups will still work perfectly but will lack the protection of my newly upgraded Argon settings. Correct?
To benefit from my new Argon settings I’ll have to make new backups. As mentioned elsewhere, I was able to increase the memory parameter many times beyond the default without detrimentally impacting my ability to access my account. This ought to provide significantly improved security against an attacker.
Yes, with account-restricted JSON, it is extremely easy to render your backups useless. Whether you consider this a benefit depends upon whether you believe you would do so intentionally or if it would happen accidentally.
I personally keep backups because I am primarily concerned about loss-of-vault and losing access to all my passwords. I envision two ways this could happen. First, if Bitwarden were to become insolvent, I will want to restore into a new account at (for example) Vaultwarden.net. Second, there have been some recent examples of account corruption. Worst case, one might need to delete their account, create a new account and a restore a backup.
So, Instead, I create two different backups: My off-site backup uses a long, strong, unique backup password which is stored in vault for easy backups and on my emergency sheet to ensure restorability. My on-site backup is unencrypted but stored in a highly-secure location because that ensures I can recreate into a competitor “by hand” if necessary.
Not saying your approach is wrong; just that we prioritize different risks.
“First, if Bitwarden were to become insolvent,”
There would be plenty of time to act is my thinking. Wouldn’t be an overnight thing. Probably at least 6 months of notice. By the way, Bitwarden raised $100 million in late 2022: Bitwarden raises $100M | Hacker News
If they somehow know your master password? No, they would also need your email address, and your 2FA to get into your account, and in this scenario they wouldn’t even need to import the JSON (unless you have made significant modifications to the vault contents since the export was made).
Correct.
True, but it would be more effective to just increase the number of words in your random passphrase.