[nebulous1]

It already is intentionally "slow". However, for a 4 digit pin there are only 10 thousand combinations. It is not practical for it to be so slow that 10000x it is an infeasible amount of time. Not only would the user have to way too long on each entry, the attacker could just use faster hardware.

[pmontra]

Or multiple machines. There are about 31k seconds in a year. 3.1 seconds per iteration seems already slow as a response time to unlock a db so it's about one year for those 10000 attempts. Split it between 10 machines by first digit, it's down to a little more than one month. Split it between 100 machines by the first two digits and it's down to half a week.

A four digit PIN is poor security. What Bitwarden could do is removing that feature.

[warkdarrior]

Uhm, 31k seconds is about 8.7 hours.

[usefulcat]

31.5 million seconds in a year

[pmontra]

You're right, sorry. I probably misread my screen.

[chrisandchris]

Split it to 5000 machines, which will be "quite easy to get" for a computation that takes a single line in most languages. Then we're talking about 6 seconds and 50% success on first try.