this post was submitted on 10 Feb 2024
1 points (57.1% liked)
Bitwarden
737 readers
1 users here now
Discuss the Paswordmanager Bitwarden.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
For authentication your password doesn’t need to be stored on the server. Instead, they store a password hash, which is essentially the answer that you get when you put your password in some sort of irreversible mathematical expression. By comparing the hash derived from your password when you enter it, with the hash from the database, they can confirm that you used the correct password. The decryption of your vault uses a different method and can’t be done with the password hash that they have stored in the database.
This is my best guess based on how hashing and encryption usually work, but I have no knowledge about the specific implementation of Bitwarden.
See, password hashing I'm familiar with. (or at least the concept)
But there's nothing stopping the web app just sending the password you've entered directly to the web server. It's open source, so I'm sure those with the skill have looked through the code, but every time you visit the page, you're reloading fresh code that could easily have changed since your last visit. It could even be targeted to specific users making it extremely difficult to look for.
This is a concern that's been in the back of my mind ever since I learned of password managers. I only began using one because I could self host it and cutoff any possible access.
I see. Well, that’s a valid concern, I guess. That’s similar to how WhatsApp is end-to-end encrypted, but they might as well be sending your private key somewhere, or your locally decrypted messages. In the end it’s to a certain extent based on trust, unless you can and are willing to control and/or audit the critical parts.