🔐 Frequently Asked Questions

Yes! All password checking is done locally in your browser. Your passwords are never sent to any server. The tool runs entirely on your device, ensuring complete privacy and security.

When you check for breaches, we use the k-anonymity model from Have I Been Pwned. Your password is hashed locally using SHA-1, and only the first 5 characters of the hash are sent to check if it appears in known data breaches. This ensures your actual password is never exposed to our servers or the breach database.

A strong password should be at least 12-16 characters long, include uppercase and lowercase letters, numbers, and special characters. Avoid common words, personal information, and predictable patterns. The best passwords are long, random, and unique for each account.

Research from Hive Systems (2024) shows that a 16-character password with mixed complexity is essentially uncrackable with current technology, taking 438 trillion years to crack. In contrast, an 8-character password with maximum complexity can be cracked in just 7 hours.

Key insight: Length matters more than complexity. A 16-character passphrase of random words is stronger than an 8-character password with maximum complexity.

We use the k-anonymity model from Have I Been Pwned, which contains over 13 billion compromised passwords from 650+ data breaches. Your password is hashed locally, and only the first 5 characters of the hash are sent to check if it appears in known data breaches. This ensures your actual password is never exposed.

The process works like this: Your password is converted to a SHA-1 hash (e.g., "5BAA6"). Only these first 5 characters are sent to the API, which returns all hashes starting with "5BAA6". Your browser then checks locally if your full hash appears in that list. This way, your actual password never leaves your device.

Absolutely! Password managers are essential for modern security. They generate strong, unique passwords for each site and remember them for you, eliminating the need to reuse passwords.

According to LastPass research (2023), 92% of people know using the same password is a security risk, yet 65% still do it. Password managers solve this problem by:

• Generating truly random, strong passwords for every account
• Storing them securely with AES-256 encryption
• Automatically filling them in when you log in
• Checking for compromised passwords in breach databases
• Alerting you to weak or reused credentials

Recommended options include Bitwarden (open-source, $10/year), 1Password (premium experience, $36/year), and KeePassXC (free, local-only storage for maximum control).

Modern security guidance from NIST (2017) recommends changing passwords only when there's evidence of compromise, not on a scheduled basis. You should change your passwords immediately if:

• They've been exposed in a data breach
• You suspect your account has been compromised
• You've shared them with someone
• You used them on a public or shared computer

Otherwise, focus on using strong, unique passwords rather than changing them frequently. Forced periodic changes often lead to weaker passwords as people make minor, predictable modifications (Password1 → Password2 → Password3).

The research shows that password expiration policies cause users to create weaker passwords and write them down more often. Strong, unique passwords that aren't compromised don't need to be changed.

Absolutely essential! Microsoft research shows that 2FA prevents 99.9% of account takeover attempts. Even if someone gets your password through phishing or a data breach, they still can't access your account without the second factor.

Best 2FA options (in order of security):

1. Hardware security keys (YubiKey, Google Titan): Phishing-resistant, cryptographic proof of authentication. Most secure option available.
2. Authenticator apps (Authy, Google Authenticator, Microsoft Authenticator): Generate time-based codes locally on your device. Much more secure than SMS.
3. SMS codes: Vulnerable to SIM swapping attacks, but still far better than no 2FA at all.

Enable 2FA on every account that supports it, especially email, banking, and social media accounts.

Act immediately if your password is compromised:

1. Change the password right away on the affected account
2. Change it on any other accounts where you used the same or similar password
3. Enable two-factor authentication if not already active
4. Check for unauthorized access: Review recent login activity, account changes, purchases, or messages
5. Review connected apps and devices and revoke any suspicious access
6. Monitor the account for unusual activity in the following weeks
7. Use a password manager to prevent password reuse in the future

If the breach exposed other information like security questions, email addresses, or payment details, update those as well. Consider placing a fraud alert on your credit reports if financial information was compromised.

Yes, when implemented correctly. Good password generators use cryptographically secure random number generators (CSPRNG) to create truly unpredictable passwords. The randomness comes from system entropy sources that cannot be predicted or reproduced.

A 16-character randomly generated password has about 95¹⁶ possible combinations (approximately 4.4 × 10³¹), making brute-force attacks computationally infeasible. Even with specialized hardware capable of billions of attempts per second, cracking would take longer than the age of the universe.

Secure password generators:

• Built into password managers (Bitwarden, 1Password, KeePassXC)
• Browser-based generators from established security companies
• EFF Diceware method with physical dice for offline generation

Avoid: Simple online generators from unknown sources, predictable patterns, or any generator that doesn't explain its randomness source.

Different password policies reflect varying interpretations of security best practices, often based on outdated guidance. Older websites may require specific character types (uppercase, numbers, symbols) based on pre-2017 recommendations.

Modern guidance from NIST (2017):

• Minimum 8 characters, allow up to 64+ characters
• Check passwords against breach databases
• No complexity requirements (don't force special characters)
• No forced periodic password changes
• Allow all printable ASCII characters and spaces

Unfortunately, many organizations haven't updated their policies. Some restrictions are red flags:

• Short maximum length (e.g., 12-16 characters max): May indicate passwords stored in fixed-size fields or even plain text
• Prohibited special characters: Poor password handling that doesn't properly escape input
• Complex rules with character requirements: Forces predictable patterns users create to meet requirements

The best policy: minimum 12-16 characters, allow all characters, check against breaches, no forced changes.

Passkeys are a modern authentication technology built on the FIDO2 and WebAuthn standards, designed to replace traditional passwords entirely. Instead of a shared secret (like a password), passkeys use public-key cryptography: a unique private key is stored securely on your device, while the corresponding public key is registered with the website.

When you sign in, your device proves it holds the private key without ever transmitting it, making phishing attacks virtually impossible. Authentication is confirmed through biometrics (fingerprint or face) or a device PIN.

Current adoption: Apple, Google, and Microsoft have all integrated passkey support into their platforms since 2022–2023, enabling cross-device synchronization through iCloud Keychain, Google Password Manager, and Windows Hello. Major services like PayPal, eBay, GitHub, and WhatsApp already support passkeys.

Advantages over passwords:

• No passwords to remember or steal
• Built-in phishing resistance
• No vulnerability to credential stuffing or brute-force attacks
• Faster sign-in experience

However, full replacement of passwords will take years due to legacy system support, user adoption curves, and the need for account recovery mechanisms. For now, passkeys and passwords will coexist, but passkeys represent the clear future of authentication.

Hackers use several sophisticated techniques to crack passwords, often combining multiple methods for maximum effectiveness:

• Brute-force attacks: Systematically trying every possible character combination — feasible for short passwords but exponentially harder as length increases.
• Dictionary attacks: Using wordlists of common passwords, phrases, and leaked credentials, often applying rules to generate variations like replacing letters with numbers (p@ssw0rd).
• Rainbow table attacks: Using precomputed hash-to-password lookup tables to reverse hashed passwords almost instantly, though salting defeats this method.
• Credential stuffing: Taking username-password pairs from one breach and testing them on other websites, exploiting password reuse.

Tools and speeds: Hashcat and John the Ripper are industry-standard cracking utilities used by both security professionals and attackers. Modern GPUs have dramatically accelerated cracking speeds: a single NVIDIA RTX 4090 can test over 164 billion MD5 hashes per second and 68 billion SHA-1 hashes per second. A cluster of eight such GPUs can crack an 8-character complex password in under an hour.

This is why password length matters so critically — each additional character multiplies cracking time exponentially. Using unique, long passwords (16+ characters) and enabling two-factor authentication are the most effective defenses against these techniques.

Biometric authentication — including fingerprint scanning and facial recognition (Face ID) — offers strong security for most users, but comes with important trade-offs to understand.

Advantages: Biometrics are difficult to guess or steal remotely, unique to each individual, and always available without memorization. Modern implementations like Apple's Face ID use sophisticated 3D depth mapping and infrared sensors, while fingerprint readers employ capacitive or ultrasonic technology that reads sub-dermal features.

Liveness detection: Modern systems prevent replay attacks using photographs, silicone molds, or 3D-printed replicas by verifying blood flow, skin texture, or involuntary micro-movements. This anti-spoofing technology has improved significantly in recent years.

Limitations and privacy concerns:

• Unlike passwords, you cannot change your fingerprint or face if compromised
• Biometric data stored in centralized databases presents a high-value target for attackers
• Some jurisdictions have enacted biometric privacy laws (Illinois BIPA, EU GDPR) restricting collection and storage

Best practices: Use biometrics as one factor in multi-factor authentication rather than as a sole method. Prefer on-device storage (Apple's Secure Enclave, Android's TEE) over cloud-based systems, and ensure the device supports anti-spoofing liveness detection. When properly implemented with on-device processing, biometric authentication provides an excellent balance of security and usability for everyday use.

Password entropy measures the unpredictability of a password in bits, calculated as E = log₂(R^L), where R is the character set size and L is the password length. Higher entropy means a password is harder to guess or brute-force.

• 37.6 bits — 8-character lowercase password (considered weak)
• 52 bits — 8-character mixed-case + numbers + symbols
• 77 bits — 6-word EFF Diceware passphrase (strong)
• 105 bits — 16-character fully random ASCII password (very strong)

Security experts recommend at least 60–80 bits for general accounts and 100+ bits for high-value accounts. The practical takeaway: length matters more than complexity. A 20-character lowercase passphrase can have more entropy than an 8-character password with mixed symbols.

Credential stuffing is a cyberattack where criminals use large collections of stolen username/password pairs from previous data breaches to automatically attempt logins across other websites and services, exploiting password reuse. With billions of credential pairs circulating on the dark web, automated tools test millions of combinations per hour.

The attack is highly effective because studies show 65% of people reuse passwords. Protection requires three layers:

1. Use unique passwords for every account — a password manager makes this practical without memorization burden
2. Enable two-factor authentication — so that even valid credentials cannot be used without the second factor
3. Monitor for breach exposure — using Have I Been Pwned or your password manager's built-in breach monitoring

If you receive alerts about suspicious login attempts on an account, it may indicate a credential stuffing attempt against your account.

K-anonymity is a privacy protection model that ensures your actual password is never revealed when checking breach databases. Here's how the HIBP (Have I Been Pwned) k-anonymity implementation works:

1. Your password is hashed locally in your browser using SHA-1, producing a 40-character hex string
2. Only the first 5 characters of that hash are sent to the HIBP API
3. The API returns all hash suffixes beginning with those 5 characters — typically hundreds of results
4. Your browser locally compares your complete hash against the returned list

The server never sees your actual password or complete hash — only a 5-character prefix shared by thousands of other hashes. This design, created by Troy Hunt for HIBP, means the service mathematically cannot determine which specific password you checked. The "k" refers to the minimum group size: at least k different password hashes share any given prefix, ensuring your query blends anonymously into the crowd.

Password salting adds a unique, randomly generated string (the "salt") to each user's password before hashing. Instead of hash(password), the system computes hash(password + random_salt).

Salting serves two critical purposes:

• Defeats rainbow table attacks — precomputed tables mapping hashes to plaintexts are useless because each user's unique salt means attackers would need a separate rainbow table per salt — computationally infeasible
• Prevents pattern identification — even two users with identical passwords produce completely different hash values, so an attacker cannot quickly identify all accounts sharing a common password

The salt is stored alongside the hash in the database — its security comes from uniqueness, not secrecy. Modern algorithms like bcrypt and Argon2 handle salt generation automatically, eliminating the risk of developer error.

Hashing and encryption are fundamentally different operations:

• Hashing is one-way: it transforms a password into a fixed digest that cannot be mathematically reversed. Algorithms: bcrypt, Argon2id, scrypt, SHA-256
• Encryption is reversible: data encrypted with a key can be decrypted back to the original form. Algorithms: AES-256, RSA, ChaCha20

Passwords should always be hashed, never encrypted. If passwords are encrypted, whoever holds the encryption key can decrypt and read all user passwords — a catastrophic risk.

🚩 Critical red flag: If a website sends you your actual password in a "Forgot Password" email (instead of a reset link), they are storing your password in a recoverable form — either plaintext or encrypted. Change your password immediately and use that service only for non-sensitive purposes.

Hardware security keys are physical devices (USB-A, USB-C, or NFC) implementing FIDO2/WebAuthn for the most secure form of two-factor authentication available. Popular options: YubiKey (Yubico), Google Titan Key, and Apple Security Key.

When logging in, you physically tap the key. It performs a cryptographic challenge-response — the private key never leaves the device. Key advantages:

• Phishing-resistant — authentication is bound to the specific website domain; a fake phishing site cannot capture and replay your authentication
• No SIM swap vulnerability — unlike SMS codes, there's nothing to intercept
• Works offline — no phone required, no battery, no network

Cost: $25–80 for most models. Supported by Google, Microsoft, GitHub, Dropbox, and most major services. Recommended for: journalists, activists, executives, anyone with high-value accounts (financial, email, cloud storage), and security-conscious users generally.

A passphrase is a sequence of multiple random words used as a credential — for example: "correct horse battery staple" or "purple-mountain-sunrise-kettle". Passphrases combine high entropy with memorability.

The famous xkcd #936 example illustrates the principle: 4 random common words provide ~44 bits of entropy and are easy to remember, while a seemingly complex password like Tr0ub4dor&3 has only ~28 bits of entropy and is harder to recall.

For maximum security, use the EFF Diceware method: roll physical dice to select words from the EFF wordlist, ensuring truly random selection free from human bias. A 6-word EFF Diceware passphrase provides ~77 bits of entropy.

Best uses for passphrases: master password for your password manager, computer login, full-disk encryption passphrase — situations where you must memorize the credential. For all other accounts, use your password manager to generate fully random strings.

While a dedicated password manager is strongly recommended, if you prefer alternatives, here are the safest options in order of security:

1. KeePassXC (offline) — Free, open-source, stores an encrypted database file locally on your device. No cloud sync, no subscription, maximum control. Back up the encrypted file to USB drives.
2. Encrypted notes file — Use VeraCrypt or your OS's encrypted vault to store passwords in an encrypted local file
3. Physical password notebook — Written record in a locked location (safe, locked drawer). Never photograph or digitize it. Provides good protection from online attackers, but risks physical theft.

Critical caveat: Without a password manager, most people inevitably reuse passwords — the #1 cause of account compromise. Even Bitwarden's free tier enables unique passwords for every account and is significantly more secure than most alternatives. The threat model matters: online attackers are far more likely than physical burglars for most people.

You can assess a website's password security through observable signals:

✅ Green flags:

• HTTPS on all pages (padlock in address bar)
• "Forgot password" sends a one-time reset link — not your actual password
• Allows long passwords (64+ characters, no arbitrary maximum)
• Supports two-factor authentication
• Notifies you of logins from new devices or locations
• Provides account activity log

🚩 Red flags:

• Emails you your actual password (stored in plaintext or reversibly encrypted)
• Imposes a very low maximum password length (8 or 12 chars = possible plaintext storage)
• Blocks paste in password fields (breaks password managers, no security benefit)
• No form of 2FA available
• Never notified users about known breaches affecting their accounts

The most serious red flag is receiving your actual password via email — change it immediately and avoid trusting sensitive data to that service.

Zero-knowledge architecture means the password manager provider mathematically cannot access your stored passwords — only you can decrypt them. Here's how it works:

1. Your master password never leaves your device
2. It is used to derive an encryption key using a key derivation function (Argon2 or PBKDF2)
3. That key encrypts your entire vault locally on your device
4. Only the encrypted ciphertext is transmitted to and stored on the provider's servers

Even if the company is hacked, subpoenaed, or compelled by law enforcement, they have only encrypted data they cannot decrypt. This differs fundamentally from services that encrypt data with their own keys — in that case, the provider can access everything.

Password managers with independently audited zero-knowledge implementations:

• Bitwarden — Open source, publicly audited, self-hostable
• 1Password — Secret Key adds additional protection beyond master password
• ProtonPass — From the ProtonMail team, open source

To verify a manager's claims: look for third-party security audits published on their website and review open-source code if available.

Oui ! Toute vérification de mot de passe est effectuée localement dans votre navigateur. Vos mots de passe ne sont jamais envoyés à un serveur. L'outil fonctionne entièrement sur votre appareil, garantissant une confidentialité et une sécurité totales.

Pour les vérifications de violations, nous utilisons le modèle k-anonymat de Have I Been Pwned. Votre mot de passe est haché localement en SHA-1, et seulement les 5 premiers caractères du hash sont envoyés pour vérifier s'il apparaît dans des violations de données connues. Votre mot de passe réel n'est jamais exposé.

Le NIST (Institut national des normes et de la technologie) a mis à jour ses directives en 2020 : ne changez les mots de passe que lors d'une violation de sécurité confirmée ou suspectée, pas selon un calendrier arbitraire. Les changements fréquents obligatoires ont tendance à conduire à des mots de passe plus faibles (les gens ajoutent simplement « 1 » ou « ! » à leur ancien mot de passe). L'exception : si votre mot de passe est apparu dans une violation de données, changez-le immédiatement sur tous les comptes où vous l'utilisez.

Un gestionnaire de mots de passe est un logiciel chiffré qui génère, stocke et remplit des mots de passe forts et uniques pour chaque compte. La réponse courte : oui, vous devriez absolument en utiliser un. Les avantages : vous n'avez à retenir qu'un seul mot de passe maître fort, chaque compte reçoit un mot de passe long, aléatoire et unique. Options recommandées : Bitwarden (open source, gratuit), 1Password, Dashlane, KeePass (local uniquement).

La longueur est le facteur le plus important pour la sécurité du mot de passe. 8 caractères est le minimum absolu. 12-16 caractères offrent une sécurité raisonnable. 20+ caractères est idéal pour les comptes critiques. Chaque caractère supplémentaire multiplie exponentiellement le temps nécessaire pour craquer le mot de passe. Un mot de passe de 20 caractères aléatoires est pratiquement incassable avec les capacités informatiques actuelles.

Une phrase secrète est une combinaison de plusieurs mots aléatoires utilisée comme mot de passe (ex. : « cheval-batterie-agrafe-correcte »). Les avantages : plus facile à mémoriser que les caractères aléatoires, généralement plus longue que les mots de passe traditionnels, forte résistance aux attaques par force brute. Utilisez au moins 4 mots aléatoires pour une phrase secrète solide.

Les passkeys sont une technologie d'authentification sans mot de passe développée par FIDO Alliance, Apple, Google et Microsoft. Ils utilisent la cryptographie à clé publique : une clé privée est stockée sur votre appareil, une clé publique est enregistrée sur le serveur. Avantages : aucun mot de passe à mémoriser ou à voler, résistant au hameçonnage par conception, authentification biométrique locale. De nombreux services majeurs (Google, Apple, Microsoft, GitHub) supportent maintenant les passkeys.

L'authentification à deux facteurs ajoute une deuxième couche de sécurité au-delà du mot de passe. Types par ordre de sécurité : clés de sécurité matérielles (YubiKey) — le plus sûr, applications d'authentification (Google Authenticator, Authy) — très sûr, SMS — mieux que rien mais vulnérable à l'échange de SIM, e-mail — pratique mais moins sécurisé. Le 2FA peut bloquer jusqu'à 99,9 % des attaques automatisées même si votre mot de passe est compromis.