4 Matching Annotations
  1. Apr 2025
    1. Finally, a Master Password Hash is generated using PBKDF-SHA256 with a payload of the Master Key and with a salt of the master password. The Master Password Hash is sent to the Bitwarden server upon account creation and login, and used to authenticate the user account.

      Bitwarden claim:

      Never transmitted over the internet to Bitwarden servers.

      This claim is misleading because it implies that master passwords in any form are never transmitted over the Internet to a server, despite the fact that Master Password Hash is basically just master passwords in another form.

      Unless Bitwarden implements zero-knowledge password proof, which isn't mentioned in their white paper.

    2. Never transmitted over the internet to Bitwarden servers.

      Is it mean Bitwarden never transmited master passwords or equivalent over the internet?

    3. Bitwarden never stores and cannot access your master password or your cryptographic keys.

      Sound good.

  2. Apr 2020