When checking whether a password was released in a data leak, does the app query a local database or does it fetch from a server?
If it is the latter, can one set a VPN to route traffic through to intercept the password, as it doesn’t ask for the master password while checking a password.
I know the source code is available on GitHub, but I am not proficient enough to look it through.
For those not reading the resources linked above, the passwords being checked are never sent in clear-text. In the unlikely event that someone intercepts the network traffic using a SSL decrypter while you are running a report, all they would get is the first 5 characters of a SHA-1 hash of the passwords being checked, a so-called hashprefix.
Bottom line: If your passwords have not been previously been leaked (“pwned”), it would be impossible to deduce the password from the hashprefix information.
If you have a password that has been pwned, then someone who has the hashprefix and who also has a hash table of all leaked passwords could narrow down your password to a subset of around 400-600 entries in that table. Is this a security vulnerability? I would argue that it is not really, because your password is already on the list of leaked passwords (available for anybody to see). With modern hardware, it really isn’t that much harder to brute force the entire list of leaked passwords (a few billion) vs. just brute-forcing a shortlist of 400 candidates. As long as you immediately change any password that is identified as having been leaked, you should be safe.
With the RockYou2021 password list being the largest complication so far, getting a massive list of breached passwords in one place is more simple than ever.
And with new gen hardware, the time required to perform an offline attack has significantly decreased.