I’m seeing a confusing discrepancy in my Bitwarden Premium vault and I’m hoping to get some insights.
The Situation:
Bitwarden is flagging a specific password in my vault as “Vulnerable” and flaggig it and asking me to change it.
However, this password was randomly generated by Bitwarden itself - a 12 characters with uppercase, lowercase, and 3 special characters. Given the entropy, the odds of this being a “common” password are mathematically negligible. And it is a single use password, not reused anywhere else.
The Mystery:
Manual HIBP Check: I used the HIBP “Pwned Passwords” web search - just the password string - it came back clean.
Manual API Check (k-anonymity): I hashed the string (SHA-1), took the first 5 characters of the prefix, and manually queried ://api.pwnedpasswords.com{prefix}. I searched the results for my specific 35-character suffix, and it was not found.
Other leak database websites: The string was not found on many other websites i searched, including dehashed.com
Website Action: Coincidentally or not, the website in question is also forcing a password reset upon login, maybe due to the age or figuring out it is an at-risk password, i dont know.
If the HIBP API and website returns no match, why would Bitwarden’s flag it ? Especially considering it is strong random character password with chances of it being in a leak database being next to zero.
Does Bitwarden use any additional databases or “risk-based” heuristics beyond the HIBP API?
I’ve already verified there are no duplicate entries or old versions of this password in my history that could be triggering the report. Would love to hear thoughts on this.
Bitwarden uses the zxcvbn algorithm to rate password strength. The algorithm looks for common words and passwords, as well as known patterns and transformations (“l337” substitutions, keyboard walks, etc.). When it cannot identify a dictionary word or pattern, it makes the very conservative estimate that a brute-force guessing scheme would only need to test a pool of 10 characters, which for true random passwords will significantly underestimate the strength. For example, the zxcvbn algorithm will consider the passwords a#*Sk3,hTI%x and 676493826432 to have equal strength.
It is also possible that your randomly generate password by coincidence includes some known common password pattern (e.g., a number sequency that looks like a year, a repeated sequence, a keyboard walk, etc.).
In the end, it is likely that this is a false positive, which could only be addressed by (unnecessarily) changing the password, or by voting for the following feature request:
If you do decide to change the password (just to get rid of the annoying warning banner), then you could share the old password here, for further post mortem analysis.