Need a VPN or DNS for your device?Get ExpressVPN Now
One ExpressVPN account. All devices.Get Apps for Free
Password Health is a feature in ExpressVPN Keys that assesses the security of your logins, as well as provides tips and guidance on how to improve it, protecting you against password hacks.
ExpressVPN Keys (ExpressVPN’s password manager) was built according to industry best practices for secure apps and cloud infrastructure, including conducting extensive threat models and security assessments. It has also been independently audited by cybersecurity experts (like Cure53) to ensure it delivers the highest standards in protecting your personal data.
Password Health was designed with your privacy in mind
The logins you store in ExpressVPN Keys cannot be accessed by ExpressVPN as they are protected by zero-knowledge encryption. This means only you can decrypt your passwords.
For that reason, the security of your logins is assessed locally on your own device. The result is only used to calculate your security score and show you useful suggestions in the app. Your security score is based on the strength of your passwords, whether you use the same password more than once, whether you’ve enabled two-factor authentication for compatible sites and apps, and whether the website URLs you stored are secure.
The password strength score gives a good indication of your password’s resistance against guessing or brute-force attacks. ExpressVPN Keys assesses the strength of your passwords when you update them, using the industry-standard zxcvbn library. The password strength score is stored for faster access and is only accessible whenever you unlock ExpressVPN Keys.
ExpressVPN Keys checks whether your passwords are used by more than one login in a privacy-preserving way, ensuring your passwords are not decrypted and loaded into memory unless absolutely necessary.
To achieve this:
- The first five characters of the hash of your password (which is an unintelligible string of characters representing your password) are stored in ExpressVPN Keys when you update your password.
- If more than one login uses the same first five characters of the hash of your password, the password will be decrypted to confirm it is reused.
ExpressVPN Keys checks whether the website URL saved for your logins starts with “http://” instead of the more secure “https://”, and warns you if it does, to avoid transmitting data unsecurely when you access the website to sign in.
ExpressVPN Keys lets you know whether your passwords have been exposed in data breaches aggregated by HaveIBeenPwned. Your personal data is never shared with any external parties during this process. If you do not wish to check for exposed passwords, you can always disable this feature in the app settings.
Your passwords are never sent to ExpressVPN or HaveIBeenPwned
- ExpressVPN Keys creates a 40-character hash of each password, which is an unintelligible string of characters representing your password.
- Keys compares the hash of each of your passwords to a curated list of most commonly leaked passwords, which is stored locally in the ExpressVPN app.
- Keys sends only the first five characters of each hash not found in the curated list to ExpressVPN Keys’ servers, which then transfer the request to HaveIBeenPwned.
- HaveIBeenPwned returns a list of vulnerable passwords that have hashes starting with the same five characters as yours.
- Finally, ExpressVPN Keys compares them locally on your device.
Your IP address is never sent to HaveIBeenPwned
To further protect your privacy, your IP address is never visible to HaveIBeenPwned.
When Keys checks for exposed passwords, the request first goes through the secure servers of ExpressVPN Keys before being forwarded to HaveIBeenPwned, and back through the same route.
Two-factor authentication (2FA) not enabled
ExpressVPN Keys notifies you if your saved accounts are compatible with 2FA and encourages you to enable it for those accounts. 2FA adds an extra layer of protection, preventing unauthorized access even if your passwords are compromised.
You can even use Keys as an authenticator when signing in to sites and services with 2FA enabled.