How we verify if a password has been used in a data breach

Show overview
How we verify if a password has been used in a data breach

Why is my password not secure?

Starting as of December 2019 we'll check passwords that users enter against the haveibeenpwned.com API. If you see a message telling you that your password is not secure, it means that the password has been leaked in a data breach and we won't allow you to use the password on Passcreator.

How we check if your password is not secure

Troy Hunt, a well-respected Security Researcher created haveibeenpwned which is a database that have been discovered in highly publicised or well-known data breaches. We will run a check against this database to see if your password was on such data breaches.
This however does not mean that we send the password you enter to any other external service!
The mechanism we use is called "search by range" and only uses a small portion of the SHA1 has of a password. This means the check uses k-anonymity to make sure no data is leaked at all.

What should you do if your password is not secure?

In general you should use different passwords for each and every account you have online. Also using randomly generated, secure passwords is a good approach. If your password has been cracked already, make sure to change it wherever you used it and take additional steps like running anti-virus programs.

Individual Security Settings for your Passcreator Account including Two-Factor Authentication Wallet passes on Android. Which app for which purpose?