[novium]

If I'm not mistaken it should be mostly fine as long as you trust the desktop/phone versions of Bitwarden not to send off the (unhashed) key to the server

Edit: Noting that there have been discussions about the default number of iterations. https://github.com/bitwarden/jslib/issues/52

[hanniabu]

Even if the takeaway from that conversation was that sha256 is good enough, it concerns me how the Bitwarden team handled that issue.

[dastx]

The few tickets I've been interested in, their answers have been along those lines. I've mentioned this before, but Bitwarden has been broken in Firefox's private mode, and to this day they're just blaming it Mozilla for deprecating some APIs due to privacy concerns. Mozilla has given a safer alternative, but they're refusing to fix it. Someone even raised a PR to fix it, but they had some feedback. The PR has since gone stale.

[danmur]

The main problem I can see is entering your login in the web interface. I still use it though.

[sneak]

Note also that the bitwarden desktop app has a remote code execution vulnerability that the developers refuse to fix, which means that the developers can, at any time, replace your local copy of the bitwarden desktop app with a different version that could steal all your passwords in exactly the manner you describe.

You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.

[dastx]

Do you have more information on this? A link maybe?

EDIT: Never mind, found it - https://github.com/bitwarden/desktop/issues/552. This isn't exactly an RCE. You can say the same about anything. By your logic Microsoft auto-updates are RCE. Same with pacman/apt-get/yum package managers. Same with pretty much anything else.

I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.