Just take the string as bytes and hash it ffs

  • frezik@midwest.social
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    4 months ago

    Per your edit, you’re misunderstanding what Bitwarden does and why it’s different than normal web site password storage.

    Bitwarden is meant to not have any insight into your stored passwords what so ever. Bitwarden never needs to verify that the passwords you’ve stored match your input later on. The password you type into Bitwarden to unlock it is strictly for decrypting the database, and that only happens client side. Bitwarden itself never needs to even get the master password on the server side (except for initial setup, perhaps). It’d be a breach of trust and security if they did. Their system only needs to store encrypted passwords that are never decrypted or matched on their server.

    Typical website auth isn’t like that. They have to actually match your transmitted password against what’s in their database. If you transmitted the hashed password from the client and a bad actor on the server intercepted it, they could just send the hashed password and the server would match it as usual.