I was wondering how the “Exposed Passwords” tool works when Bitwarden has zero knowledge of our passwords? How can they check against leaked passwords?
My understanding is that at some point, the decrypted password is checked against a database of leaked passwords. Does that happen locally on my machine? That’s very unlikely because this would require downloading a large database with all leaks.
It’s a great question and one that if you are asking means you truly secure about your security.
Regarding your question Bitwarden uses a service known as Have I Been Pwned (an online colloquial phrasing of the term “owned”) to check for known exposed passwords from previous data leaks.
Have I Been Pwned is a fantastic and highly trusted service, so much so that the FBI teamed up with HIBP to pipe in known dataleaks in an effort to disseminate security breaches quicker to the general public.
The service uses only hashes of the first 5 characters of a password which are sent to compare against the online HIBP service. Those that have the first part of this 5 character hash match have all similar hashes sent to your local machine, where those known exposed password hashes are then compared against the hash of your full password locally.
This is a pretty good article that describes the process.
Hope this helps explain, and the linked information is helpful
P.S. I should also note that many online password managers that offer similar monitoring services and breach checks either also use HIBP, or a similar service.