How does exposed passwords check work?

How does bitwarden check for my password whether it was exposed in one of the data breaches, or not? Does it send the hash of my password to one of the online data-dumps/breaches/data-bases, etc.? How safe is this check?

let me know if this doesn’t clear it up for you.

The API in the article is what Bitwarden uses.



There are 600 million hashes in the database being queried.

There are around 1 million possible combinations of 5 hexidecimal digits.

Therefore, for any given “first five digits” of a SHA1 hash in the table, there are around 600 matches with the same first five.

Also, there are waaaay more than 1 million passwords in existence, so if I request AAAAA matches, it’s most likely that my full hash is not even in the list of 600 given.

So I hash my password, send the first five digits, always get 600 hashes back, and search for my full match in the list. Most of the time no match is found. The server learns nothing of value, since your password is more likely not even in their database.

1 Like

Thanks for posting.