All the replies have given random statistics, but these don't shed much light on the length of time it may take an attacker to brute-force a password, or find a chink in the armor of the vault's encryption algorithm.
Now as I said, a significant threat actor with lots of time in their future plans can collect encrypted stuff such as vaults and bide their time. Someday, the decryption may be cost-effectively cheap. Someday, a flaw may be uncovered in the cryptography. Someday, a vault owner's secret key(s) may leak and can be correlated.
As I said, it's just a question of time, and the ability to hold on to your cards for long enough that they can be played in the proper manner. It may take 5 years, 10 or 20, but if the payoff is valuable enough, it's worth the wait for the threat actor.
> There is practically zero scenarios where hacking ANY bitwarden account 20 years from now nets you anything useful.
Bitwarden is a password manager, yes? What about cloud accounts of someone's employer, like an AWS account that runs $1,000,000 of monthly assets? That wouldn't be valuable in 20 years?
What about VPN credentials for some big tech intranet? Yeah, hopefully they use MFA and they expire passwords before 20 years, but just in case, right?
I can certainly see nation-state actors hanging on to juicy encrypted password manager vaults, just on the off-chance they could hit the jackpot. I can think of plenty of accounts that would still be valuable and enabled 20 years from now.
Now as I said, a significant threat actor with lots of time in their future plans can collect encrypted stuff such as vaults and bide their time. Someday, the decryption may be cost-effectively cheap. Someday, a flaw may be uncovered in the cryptography. Someday, a vault owner's secret key(s) may leak and can be correlated.
As I said, it's just a question of time, and the ability to hold on to your cards for long enough that they can be played in the proper manner. It may take 5 years, 10 or 20, but if the payoff is valuable enough, it's worth the wait for the threat actor.