How we verify if a user's password has been used in a data breach

Why is my password not secure?

Since 2019 we're checking passwords that users enter against the haveibeenpwned.com API, a service that can be used to check if your password is secure without compromising privacy. This has provend to be a highly effective way to increase security and has prevented hundreds of users from using insecure passwords. If you see a message telling you that your password is not secure, it means that the password has been leaked in a data breach and we won't allow you to use the password on Passcreator.

How we check if your password is not secure

Troy Hunt, a well-respected Security Researcher created haveibeenpwned which is a database that have been discovered in highly publicised or well-known data breaches. We will run a check against this database to see if your password was on such data breaches.
This however does not mean that we send the password you enter to any other external service!
The mechanism we use is called "search by range" and only uses a small portion of the SHA1 has of a password. This means the check uses k-anonymity to make sure no data is leaked at all.

What should you do if your password is not secure?

In general you should use different passwords for each and every account you have online. Also using randomly generated, secure passwords is a good approach. If your password has been cracked already, make sure to change it wherever you used it and take additional steps like running anti-virus programs.