Checking Compromised Passwords¶
Enpass checks your passwords against a list of breached passwords managed by haveibeenpwned to see if any of your passwords have appeared in data breaches. It’s a trustworthy procedure, ensuring that your passwords are secure in Enpass and are never sent to the internet.
There are two ways to check for compromised passwords in Enpass -
Checking Individual Password¶
From the detail screen of an item, tap on the password field → More →
Check if Compromised.
On the next screen, you’ll see a message to validate the operation. Tap
Enpass checks for the compromised passwords and displays results. Tap on Done
You will now see the results.
How does it work?¶
It works on the k-Anonymity model where the first five characters of your SHA1 hashed password (the 40-character hash created from your password) is sent to haveibeenpwned.com. In response, it sends the list of all the leaked passwords starting with those same five characters. Enpass then locally compares the passwords’ hash to the list, and if it finds any matching password, you get a warning that the password has been leaked on the internet and must never be used.
What to do if you have Compromised Passwords?¶
It is highly risky to use a compromised password because it is out there on the internet and visible to attackers. An attacker may not know that you have used that password, but you should still change it.
Change Password Immediately¶
We recommend to change the password immediately and create a unique and robust password for such accounts. You can use the built-in password generator to create strong passwords.
Enable Two-Factor Authentication¶
2FA is a stronger form of security that double-checks your identity upon login. Enpass can identify the websites where you can turn on 2FA. It can also act as the authenticator and generate one-time codes for supported accounts saved in the app.
Regularly keep a check on Passwords’ Health¶
You can keep a track on overall health of your passwords and logins from the Audit section.