Password Health is a feature in ExpressVPN Keys that assesses the security of your logins, as well as provides tips and guidance on how to improve it, protecting you against password hacks.
Password Health was designed with your privacy in mind
The logins you store in ExpressVPN Keys cannot be accessed by ExpressVPN as they are protected by zero-knowledge encryption. This means only you can decrypt your passwords.
For that reason, the security of your logins is assessed locally on your own device. The result is only used to calculate your security score and show you useful suggestions in the app. Your security score is based on the strength of your passwords, whether you use the same password more than once, and whether the website URLs you stored are secure.
Password strength
The password strength score gives a good indication of your password’s resistance against guessing or brute-force attacks. ExpressVPN Keys assesses the strength of your passwords when you update them, using the industry-standard zxcvbn library. The password strength score is stored for faster access and is only accessible whenever you unlock ExpressVPN Keys.
Reused passwords
ExpressVPN Keys checks whether your passwords are used by more than one login in a privacy-preserving way, ensuring your passwords are not decrypted and loaded into memory unless absolutely necessary.
To achieve this:
- The first five characters of the hash of your password (which is an unintelligible string of characters representing your password) are stored in ExpressVPN Keys when you update your password.
- If more than one login uses the same first five characters of the hash of your password, the password will be decrypted to confirm it is reused.
Unsecure URLs
ExpressVPN Keys checks whether the website URL saved for your logins starts with “http://” instead of the more secure “https://”, and warns you if it does, to avoid transmitting data unsecurely when you access the website to sign in.
Exposed passwords
ExpressVPN Keys lets you know whether your passwords have been exposed in data breaches aggregated by HaveIBeenPwned. Your personal data is never shared with any external parties during this process. If you do not wish to check for exposed passwords, you can always disable this feature in the app settings.
Your passwords are never sent to ExpressVPN or HaveIBeenPwned
- ExpressVPN Keys creates a 40-character hash of each password, which is an unintelligible string of characters representing your password.
- Keys then sends only the first five characters of each hash to ExpressVPN Keys’ servers, which then transfer the request to HaveIBeenPwned.
- HaveIBeenPwned returns a list of vulnerable passwords that have hashes starting with the same five characters as yours.
- Finally, ExpressVPN Keys compares them locally on your device.
Your IP address is never sent to HaveIBeenPwned
To further protect your privacy, your IP address is never visible to HaveIBeenPwned.
When Keys checks for exposed passwords, the request first goes through the secure servers of ExpressVPN Keys before being forwarded to HaveIBeenPwned, and back through the same route.