Password Vault Audit
A password vault auditor that runs in your browser. Drop an exported file from Bitwarden, KeePass, Chrome, Firefox, 1Password or LastPass — the audit scores each password's strength (with zxcvbn, the industry-standard library), groups duplicates that share the same password, and optionally checks each one against Have I Been Pwned's 800M+ leaked-password database. The breach check only sends a 5-character thumbprint of each password to HIBP — the protocol is designed so the server cannot identify which password you checked.
How to use
In your password manager, find the export option: Bitwarden (Tools → Export, JSON), KeePass (File → Export, CSV), Chrome (chrome://password-manager/passwords), Firefox (about:logins → ⋯ → Export Logins), 1Password (File → Export, 1PUX or CSV), LastPass (Advanced → Export).
Drag and drop the export, or paste CSV/JSON text. The format is auto-detected.
Click Run audit. zxcvbn scores every entry; the optional HIBP check finds breached ones. Progress bar shows estimated time (~1s per 50 entries on the HIBP side).
Filter to Weak / Breached / Duplicates and change those passwords in your manager. Re-run the audit after to verify.
Find weak, reused and leaked passwords in your password manager — using the same k-anonymity breach check that 1Password and Bitwarden run internally
| Site | Username | Password | Strength | Issues |
|---|
Features
FAQ
Is my vault uploaded?
No. The vault is parsed and scored in your browser. The only data that leaves the tab is the 5-character thumbprint sent to Have I Been Pwned for the breach check — and HIBP's k-anonymity protocol is specifically designed so the server cannot identify which password you checked. The same protocol is built into 1Password Watchtower, Bitwarden Reports, Firefox Monitor and Chrome's breach warning.
Why audit if my manager already does this?
Three reasons. (1) Most managers only check passwords you save going forward — old entries from before the feature shipped are not rescored. (2) Browser-saved passwords (Chrome / Firefox / Safari) don't benefit from a 3rd-party manager's audit at all. (3) Running a one-shot audit on the full export gives you a single ranked list to triage — much faster than clicking through alerts.
What formats are supported?
Bitwarden JSON, KeePass CSV (KeePass 2.x export), Chrome CSV, Firefox CSV, 1Password CSV/1PUX, LastPass CSV. A generic CSV reader catches anything else with name + username + password columns.
How does duplicate detection work?
The audit groups entries by exact password match (case-sensitive). If a password appears in 3 entries, all 3 are flagged "reused on 2 other sites". This is the highest-priority fix.
Why is "Password123!" weak even with mixed case and a digit?
Because it is in the top 100 of every leaked password list. zxcvbn does dictionary matching, l33t substitution recognition, and keyboard-walk detection — it sees through superficial complexity.
Should I delete the exported file after?
Yes — securely wipe it as soon as you have applied the fixes. The export contains all your passwords in clear text; treat it the same as your master password.
Can you keep the report?
You can export the report as CSV or JSON for your records. The exported report omits passwords by default (it just shows the issues per entry) unless you tick "Reveal passwords in the report".
We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.
