We programmers tend to spit the same technicalities we consume, and the non-technical savvy people just understand bla bla bla… happens the same with lawyers and basically everyone’s jargon.
Bitwarden servers (and if you setup your own, those servers too) are just a dump for encrypted data, unencrypted data never leaves your device (computer/phone). Bitwarden applications doesn’t know your password and they (as a company) have no way of doing a reset, because the “master password” is never stored anywhere. All BW ever sees is a bunch of (nonsensical) encrypted data.
So, how Bitwarden applications know when the password is right? Well, it doesn’t know anything about your password or it hashes. That’s the famous “Zero Knowledge”, in a super crude example this is how it looks like (with tons of added security):
[email protected] requests the vault.
- The vault is transmitted to the device encrypted.
- The password is used to try and decrypt the vault.
- If the password is wrong, the decryption returns garbage.
- If the password is right, the decryption returns normal data.
In fact, the decryption itself doesn’t know when things went ok, as for the algorithm is just: “with this bit of information, apply the encryption/decryption with this bytes of information”. For us is data and password, for the algorithms is far more complex.
So again, how the application knows when a password is the good one? By encrypting a know piece of information; if that information matches means the password is good (and the data isn’t garbage). In other words, when all of your info is encrypted also some small word is used for the comparison.
Is perfectly safe as it has been audited a couple times and has the pertinent certifications that it works the way I described. Bottom line and most important bit is: you unencrypted information never transits the wire.
Hopefully you have a clearer idea of it as a whole, if not I can gladly give you pointers on all the information so you understand what symmetric encryption, key derivation, cyphers and all of the gory small details mean; however that can be somehow overwhelming outside the programming context as that kind of information is never in the Layman form.
Now, in your case, you employer will see your vault in encrypted form, the very same information they will see when scanning the contents of your hard drive and find the file that Bitwarden uses to store the encrypted information (here are the locations).
The sad thing is that if your employer can eavesdrop into your connections they already know your passwords, not because Bitwarden… because when you send them through the sites themselves as the vast majority of sites use simple SSL encryption.