I’m not qualified to talk how Bitwarden works, but I believe I can clear some misunderstandings based on what you linked.

That post on reddit sends to an article which talks about brute forcing TOTP, assuming that someone already stole your username and password. Keep in mind that if someone does that, without TOTP, or any other two factor authentication methods, you are already considered as completely hacked and compromised.

As you probably know, TOTP as is provided by Google Authenticator, gives you **a 6 digit code EVERY 30 seconds**. This code is calculated based on time from a static code (that QR code you scan, which is actually just a sequence of characters). For any code generation, there are 1000000 possibilities, which helps to know to calculate the chance of success of finding the right combination.

Assuming that **no security measures are in place**, you can make many attempts per second. In the article, a random number is chosen, that being 10. That means that in the conditions stated, someone could try to guess the code about 300 times in and only in that 30 second span. This gives you about 0.03% chances to find the right numbers. Because each 30 seconds attempt you are looking for another combination, the chances do not change, not being unaffected by the previous result. Your chance to get it right it’s still 0.03% in the end.

The article says you can compute all the possible codes in about 3 days at that rate. Sure, **IF** the code never changed that would be a concern, **BUT it changes every 30 seconds.**

**That is also assuming that you don’t have security measures in place.** Most sites, have something to prevent you from spamming those brute force attacks. So a more realistic number of attempts at brute forcing per 30 seconds would be perhaps around one attack per second or even less. So that brings us to about 30 attempts for the time span of 30 seconds. Some go even further and after you reach a given number of attempts will block you for a while, which lowers the actual chance of success over a larger period of time. Anyways, that brings the chance of guessing your TOTP in those 30 seconds to about 0,00003%. And because what was tried in the previous 30 seconds it could still be a viable option in the next 30 seconds, you’re still averaging about 0,00003% chance to get your TOTP correctly.

Again, this considers that your user and password are already known by the attacker. Without those, the attacker must brute force every single length of possible passwords until it reaches the maximum, which I’m not sure what it is, but just to crack a 16 characters password can take more than your next few lives and it’s only going up from there.