They send the hash of the master key password after it's been encrypted to the server. They then encrypt the hash on the sever side to auth you. They don't send the password itself.
What that article is saying (rightfully, mind you) is that an attacker can mostly ignore the server side round of encryption, because if they have a copy of your local vault, they can just perform the client side rounds and then see if they can decrypt the vault.
This is a problem mostly if you see their claims of 100000 rounds server side, and decide "oh that's fast enough, I'll drop the client side rounds to 5 so my vault is fast to open)"
What that article is saying (rightfully, mind you) is that an attacker can mostly ignore the server side round of encryption, because if they have a copy of your local vault, they can just perform the client side rounds and then see if they can decrypt the vault.
This is a problem mostly if you see their claims of 100000 rounds server side, and decide "oh that's fast enough, I'll drop the client side rounds to 5 so my vault is fast to open)"