[andmarios]

I am not sure I get the flaw. The author says that the problem is an attacker only needs 100,000 iterations to get the master password hash, instead of doing the 100,000+100,000 iterations to get the master password and the master password hash.

Wouldn't though the master password hash be so long, that 100,000 iterations would be really hard to brute-force?

[rcxdude]

The point is it goes master password -> encryption key -> master password hash. The master password hash is only important if you want to download the database from bitwardan's server, the real valuable part is the encryption key, and the attacker is extremely unlikely to have the master password hash but not the encrypted database which they can use to check the encryption key.

[andmarios]

Ah, that makes it clear. Thank you for the explanation. :)