I hope this is the right place to discuss this concern and float the idea for an improvement.
I recently experienced a situation where Bitwarden lost a password I had just created. Here are the steps to reproduce:
- Update a password using either the web vault or a browser extension.
- Using the android app, try to use the login you just changed for the first time. Bitwarden will prompt you to autofill the password. Hit “Yes, and save”.
What I believe to have happened is that my Android app did not yet receive the password update I had just made in step 1. Without knowing details about the internals of Bitwarden, my assumption is that during step 2, I saved the password record to associate the URI of the android app with my password, but at this point in time my app had not yet received the updated password from step 1. (Indeed, my login attempt failed on Android because it used my old password.) Unfortunately, saving the URI for the android app also overwrote the password update from step 1. The password update from step 1 was not even in the password history.
I believe it would be relatively straight-forward to prevent situations like this by verifying a checksum of the old record (before changes made) any time an update is performed, and preventing the possibility of data loss by failing the update (or performing some sort of merge, etc) if the checksums don’t match.
I’m happy to answer any questions or try to develop alternative (better) steps to reproduce the problem if necessary. Thanks for writing a great password manager.