4 Matching Annotations
- Apr 2025
-
-
Finally, a Master Password Hash is generated using PBKDF-SHA256 with a payload of the Master Key and with a salt of the master password. The Master Password Hash is sent to the Bitwarden server upon account creation and login, and used to authenticate the user account.
Bitwarden claim:
This claim is misleading because it implies that master passwords in any form are never transmitted over the Internet to a server, despite the fact that Master Password Hash is basically just master passwords in another form.
Unless Bitwarden implements zero-knowledge password proof, which isn't mentioned in their white paper.
-
Never transmitted over the internet to Bitwarden servers.
Is it mean Bitwarden never transmited master passwords or equivalent over the internet?
-
Bitwarden never stores and cannot access your master password or your cryptographic keys.
Sound good.
-
- Apr 2020