It wasn't in the scope of this audit, but it's still somewhat concerning... PBKDF2 with SHA-256 (a super fast hash with hardware support) as a key derivation function (which should be slow and difficult and hard to do in hardware)? That doesn't sound right. The answer provided (cross platform compatibility) doesn't sound satisfying.

Was this discussed with the prior audit?

EDIT to add: Here's the 2018 "cryptographically right answer" on password hashing ( https://latacora.singles/2018/04/03/cryptographic-right-answ... ):

Password handling

Percival, 2009: scrypt or PBKDF2.

Ptacek, 2015: In order of preference, use scrypt, bcrypt, and then if nothing else is available PBKDF2.

Latacora, 2018: In order of preference, use scrypt, argon2, bcrypt, and then if nothing else is available PBKDF2.

You care about this if: you accept passwords from users or, anywhere in your system, have human-intelligible secret keys.

But, seriously: you can throw a dart at a wall to pick one of these. Technically, argon2 and scrypt are materially better than bcrypt, which is much better than PBKDF2. In practice, it mostly matters that you use a real secure password hash, and not as much which one you use.

Don’t build elaborate password-hash-agility schemes.

Avoid: SHA-3, naked SHA-2, SHA-1, MD5.

EDIT to UPDATE:

Bitwarden has commented (about an hour ago) that they'll fix this! Cool.

https://community.bitwarden.com/t/switch-to-argon2/350/23

https://github.com/bitwarden/jslib/issues/52

According to Insight's attestation this was a 5 day test focusing on:

1. External vulnerability assessment of the Bitwarden computing systems and web applications

2.External penetration testing of the Bitwarden computing systems and web applications