How Enpass checks for compromised passwords?

Enpass checks your passwords against lists of passwords that have been compromised in known data breaches. If you enable Check Compromised Passwords in Settings > Advanced, the Enpass app will notify any time one of your passwords has been compromised.

What is a compromised password?

Stolen passwords that are shared on the internet are known as "pwned" or compromised passwords. Enpass checks your passwords against a list of breached passwords managed by the trusted haveibeenpwned.com site.

These checks happen locally, on your device

Your passwords are never exposed. The Enpass app performs these checks on your device, preventing any exposure of your data.

None of your passwords are sent to anyone

Enpass detects compromised passwords on the k-Anonymity model. It hides the identity of an individual, and sends only the first five characters of your encrypted (SHA-1 hashed) passwords to haveibeenpwned.com. In response, haveibeenpwned sends all leaked passwords starting with those characters. The Enpass then compares your encrypted passwords, internally, against that list.

Each time Enpass checks for compromised passwords, it does so within whichever vault is currently selected. To check compromised passwords within all vaults, select All Vaults in the top-left corner of the app.