[GH-ISSUE #550] how does the password quality checks work? #356

New issue

Closed

opened 2026-03-03 01:28:19 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 01:28:19 +03:00

Owner

Originally created by @jhaar on GitHub (Aug 1, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/550

Wow - this is amazing - so simple to set up as a docker image behind my apache reverse proxy. Well done!

So I've got firefox plugin, website and Android bitwarden app all working just fine. However, the password quality check - how did you even make that work? and is it via haveibeenpwned?

ie I'm under the impression the server only has a copy of my encrypted "blob" of passwords, so what is recovering the cleartext passwords, converting them into SHA1 hashes and then doing the haveibeenpwned API calls in order to see if they're stolen/etc? Is that all javascript in my browser? That's the only way I could imagine this being done "securely"/privately

Thanks for all the work!

Jason

Originally created by @jhaar on GitHub (Aug 1, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/550 Wow - this is amazing - so simple to set up as a docker image behind my apache reverse proxy. Well done! So I've got firefox plugin, website and Android bitwarden app all working just fine. However, the password quality check - how did you even make that work? and is it via haveibeenpwned? ie I'm under the impression the server only has a copy of my encrypted "blob" of passwords, so what is recovering the cleartext passwords, converting them into SHA1 hashes and then doing the haveibeenpwned API calls in order to see if they're stolen/etc? Is that all javascript in my browser? That's the only way I could imagine this being done "securely"/privately Thanks for all the work! Jason

kerem closed this issue

2026-03-03 01:28:19 +03:00

kerem commented

2026-03-03 01:28:20 +03:00

Author

Owner

@mprasil commented on GitHub (Aug 1, 2019):

Hi @jhaar, you're right, it's all done on client side, so kudos to upstream. Server gets only encrypted blobs. Hope that answers your question. Closing this, but feel free to reopen if you need more information.

@mprasil commented on GitHub (Aug 1, 2019): Hi @jhaar, you're right, it's all done on client side, so kudos to upstream. Server gets only encrypted blobs. Hope that answers your question. Closing this, but feel free to reopen if you need more information.