Password breach check - what gets checked?


I wanted to know if the password check feature whcih checks each password (in free version) and the valut report (exposed password report for paid users) - does it only check for the password or also checks username+password combination. As an example the Google password check feature checks for the combination.

Is one better than the other?

For more information, please visit Vault Health Reports | Bitwarden Help & Support

1 Like

Yes sure I read that.
Still not clear hence wanted to check and get views

Anyone who could throw some light on this?

It most likely sends the beginning of the hash to check if it matches anything in a leak. If it does, the server sends back all matching hashes, enabling the client the do a local lookup.

I read bout k-anonymity and how it only sends a hash

But if it gets a positive hit (I.e., the password was identified as having been compromised in a breach) does it flag it as such without checking the username? Logically, if the username was not identified in the breach, then the risk is low since the actual username associated with the particular compromised password could be different.

Username: leaked-username
Password: leaked-password
Username: NOT-leaked-username
Password: leaked-password

Only the first one should be flagged by BW. But it flags both.
Am I correct?

It checks the password, not the combination of username and password.

1 Like

thanks! good to know