I understand they have to keep snapshots of vaults to an extent in the event a rollback or something is needed. But I’m curious if there’s any sort of retention period or if they’ve ever stated anything as such. Ex: Deleting vault backups older than 6 months / keeping the most recently modified vault as the up to date one.
Let’s say for example my password was relatively weak for a master password. I realized later that a stronger password was needed so I changed it. How long is that database with the old password kept by Bitwardens servers?
Bitwarden has configured a strict 7-day retention policy for PITR [point-in-time restore] and a policy of no long-term retention.
Also, Bitwarden does not back up the actual database, but instead maintains a log of individual database transactions (for up to 7 days), which can be used to reverse (undo) changes made to the database during that time period.
Therefore, your password change would probably be logged as something like “Database value in Field keyHash for User 85703 in Table UserData was changed from 8gYcnKGz+3ENJ9Ur2P1VfnFaE7wlyxJqtMNwi1gXqg4= to Fs91FR21uml1UkG+t0K1ryHu31gVz6oHE3fsenpVpjQ=”. It is not a given that an attacker would even be able to associate your old master password with any of your vault data, if the log files were compromised.