Breach Monitoring
SyVault checks your stored passwords against known data breaches using the HaveIBeenPwned (HIBP) database. The check is designed so that your passwords are never exposed -- not even to the HIBP service.
How k-Anonymity Works
- SyVault computes the SHA-1 hash of each password locally on your device.
- Only the first 5 characters of the hash are sent to the HIBP API.
- HIBP returns all hash suffixes in that bucket (typically 500 -- 800 entries).
- SyVault compares the full hash against the returned suffixes entirely on-device.
The result: HIBP never receives your full hash, and your plaintext password never leaves the device.
k-Anonymity means that even if network traffic were intercepted, an attacker would only see a 5-character hash prefix shared by hundreds of unrelated passwords.
Security Dashboard
Breach results are surfaced on the Security Dashboard, where each compromised credential is flagged with the number of known breaches it appears in. From there you can:
- Sort by severity (number of breach appearances).
- Jump directly to the affected record to update the password.
- Dismiss a finding if you have already rotated the credential.
Continuous Monitoring
Enable continuous monitoring in Settings > Security to have SyVault re-check your vault automatically each time it is unlocked. Manual scans can be triggered any time from the Security Dashboard.
A password appearing in zero breaches does not guarantee it is safe -- it only means it has not appeared in publicly known breach datasets. Always use unique, strong passwords for every account.
Privacy Guarantee
No plaintext passwords, full hashes, or vault metadata are ever transmitted during a breach check. All processing happens locally, consistent with SyVault's zero-knowledge architecture.