I have a very simple question, but for which I didn’t find an answer in the documentation: how does Bitwarden look for my passwords on the darkweb, if it doesn’t have access to them, only to hashes?
Hello @toropih and welcome to the community,
Great question here. This was actually brought up just a little while ago, in this post.
And answered best in the answer there by another community member,
Hope that answers your question, as it stands Bitwarden is able to check against known leaked password databases and still retain a zero-knowledge architecture where only you ever have control of your stored information.
To add some further clarification, when you run an Exposed Passwords Report from your Web Vault, it is not Bitwarden (the company) that is looking up your passwords on the dark web. It is the Bitwarden code running on your own computer that is accessing the decrypted passwords kept in the memory of your computer; the same Bitwarden code (running only on your computer) computes the hashes, and sends the hashprefix values to the haveibeenpwned service. Thus, Bitwarden (the company) is able to identify exposed passwords without ever having access to any of you password.
Thank you guys for the clarification, understood.
Following the links above I also found this more detailed explanation: