Password Vault Audit

A password vault auditor that runs entirely in your browser. Drop an exported file from Bitwarden, KeePass, Chrome, Firefox, 1Password, or LastPass — the audit parses the entries locally, scores each password via zxcvbn, detects reuse across sites, and (optionally) checks against the Have I Been Pwned breach database using k-anonymity. None of the parsed passwords ever leave your device.

How to use

1
Export your vault

In your password manager, find the export option: Bitwarden (Tools → Export, JSON), KeePass (File → Export, CSV), Chrome (chrome://password-manager/passwords), Firefox (about:logins → ⋯ → Export Logins), 1Password (File → Export, 1PUX or CSV), LastPass (Advanced → Export).

2
Drop the file

Drag and drop the export, or paste CSV/JSON text. The format is auto-detected.

3
Run the audit

Click Run audit. zxcvbn scores every entry; the optional HIBP check finds breached ones. Progress bar shows estimated time (~1s per 50 entries on the HIBP side).

4
Fix and re-export

Filter to Weak / Breached / Duplicates and change those passwords in your manager. Re-run the audit after to verify.

🔥 Trending right now
🗣️ Text to Speech Video Enhancer ✂️ Trim Audio Audio Enhancer

Find weak, reused, and leaked passwords in your password manager — without uploading the vault

Drop a vault export (CSV / JSON) or click to browse
CSV, JSON — Bitwarden, KeePass, Chrome, Firefox, 1Password, LastPass ·
or paste CSV / JSON below
Checking…
Site Username Password Strength Issues
🔒 Your vault is parsed in your browser. Only k-anonymous SHA-1 prefixes (first 5 hex chars) are sent to HIBP — never the full hashes or passwords.
Don't know what to try?
380 free tools — open a surprise
🎲 Surprise me

Features

Multi-format import Strength scoring (zxcvbn) Duplicate detection Breach check via HIBP k-anonymity Filterable report Local-only processing

FAQ

Is my vault uploaded?

No. The file is read and parsed by JavaScript in your browser. zxcvbn scoring runs locally. Only the SHA-1 hash prefixes (first 5 hex chars) of each password are sent to HIBP for the breach check, and that protocol is designed so the server cannot identify which password you checked.

What formats are supported?

Bitwarden JSON, KeePass CSV (KeePass 2.x export), Chrome CSV, Firefox CSV, 1Password CSV/1PUX, LastPass CSV. A generic CSV reader catches anything else with name + username + password columns.

How does duplicate detection work?

The audit groups entries by exact password match (case-sensitive). If a password appears in 3 entries, all 3 are flagged "reused on 2 other sites". This is the highest-priority fix.

Why is "Password123!" weak even with mixed case and a digit?

Because it is in the top 100 of every leaked password list. zxcvbn does dictionary matching, l33t substitution recognition, and keyboard-walk detection — it sees through superficial complexity.

Should I delete the exported file after?

Yes — securely wipe it as soon as you have applied the fixes. The export contains all your passwords in clear text; treat it the same as your master password.

Can you keep the report?

You can export the report as CSV or JSON for your records. The exported report omits passwords by default (it just shows the issues per entry) unless you tick "Reveal passwords in the report".

💡 Want us to improve this tool just for you?

We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.

You May Also Like

🔄 Bitwarden Converter 🗃️ KeePass Viewer 🔍 OTP Auth QR Decoder 🔗 One-Time Secret Share 🔐 PGP Key Generator 🎲 Passphrase Generator 🚨 Password Breach Checker 🔑 Password Generator

How do you rate this tool?

Thank you for your rating!
Want to share more? Leave a comment!
Thank you! Your comment will appear after moderation.
Who is this tool for?
🔒 Security & Privacy
Published Updated