Is the login from the app encrypted?

the login from the app is encrypted, so that if we connect in a hotel network for example without vpn, the login would still be encrypted and protected as an https web connection.

I am not sure what your question is. Could you restate it.

The master password is hashed into an unrecognizable form by your computer, and then encrypted for transmission to Bitwarden’s servers using the TLS protocol.


Sorry for not answering sooner, I had a busy few days.
ok so the password before leaving my computer is hashed and encrypted to travel to the bitwarden server in such a way that it is never exposed.

@will The short answer is yes. Your master password is never transmitted or stored in plain text ever.

For a more complete explanation read this document. The graphs on pages 9-10 display the workflow.

Yes, you got it! :rocket:

But if it is transmitted in hash … we still have a problem…

in this web you enter the password in hash format and it returns it to you in plain text.

From the webpage that you linked:

This only works for “unsalted” hashes.

The master password hashes that are transmitted by Bitwarden are salted, so these pre-computed hash tables are ineffective.

In addition, is only capable of cracking the following types of hashes:

LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults

Bitwarden uses PBKDF2 for hashing by default, and Argon2id as an option, neither of which can be cracked using

Finally, has precomputed hashes for only 1,493,677,782 words. Thus, it cannot crack passphrases, which consist of multiple words.

If you want to try it to convince yourself, create a strong mater password by using Bitwarden’s password generator with the Type option set to Passphrase (keep all other settings at their default values), then enter your email address and the generated passphrase into the Email and Master Password input fields on Bitwarden’s interactive cryptography page; optionally, change the value to Client PBKDF2 Iterations to 600000 (or to the actual value from your account settings, if you are using PBKDF2-HMAC-SHA256 for key derivation). Finally, copy the computed value shown in the Master Password Hash field, and try to use (or any other hash cracking tool, including Hashcat) to crack the hash. It can’t be done in a million years.


Ok, so doubt solved, thank you very much for your answer and your time.