We don't store your password's hash. Since we use authenticated encryption, clients can identify when the decryption of your masterKey fails because you used a key generated from a wrong password.

Ok, that‘s cool! But the client get‘s to download the encrypted master key without authentication, right? Doesn’t that enable easy offline attacks or is the decryption too time-consuming?

No, the client has to first verify their email address and 2FA (if configured) to receive the encrypted keys. In addition to this the decryption is time-consuming.