mprasil
commented
5 years ago Hi @jhaar, you're right, it's all done on client side, so kudos to upstream. Server gets only encrypted blobs. Hope that answers your question. Closing this, but feel free to reopen if you need more information.
Wow - this is amazing - so simple to set up as a docker image behind my apache reverse proxy. Well done!
So I've got firefox plugin, website and Android bitwarden app all working just fine. However, the password quality check - how did you even make that work? and is it via haveibeenpwned?
ie I'm under the impression the server only has a copy of my encrypted "blob" of passwords, so what is recovering the cleartext passwords, converting them into SHA1 hashes and then doing the haveibeenpwned API calls in order to see if they're stolen/etc? Is that all javascript in my browser? That's the only way I could imagine this being done "securely"/privately
Thanks for all the work!
Jason