Security Dashboard
The Security Dashboard gives you a comprehensive, at-a-glance view of your vault's health. It analyzes every credential in your vault and produces an overall security score along with actionable recommendations.
Overall Security Score
The dashboard displays a score from 0 to 100, calculated as a weighted composite of four factors:
| Factor | Weight | What It Measures |
|---|---|---|
| Password Strength | 40% | Average zxcvbn score across all login records |
| Reused Passwords | 25% | Percentage of unique passwords vs. total logins |
| Old Passwords | 20% | Percentage of passwords updated within 180 days |
| Breach Status | 15% | Percentage of passwords not found in known breaches |
The score updates in real-time as you improve weak, reused, or breached passwords. A score above 80 is considered good; above 90 is excellent.
Password Strength Analysis
SyVault evaluates every login record's password using the zxcvbn algorithm (developed by Dropbox), which estimates crack time based on pattern matching, dictionary words, keyboard patterns, dates, and sequence detection -- far more accurate than simple "has a symbol and a number" checks.
Each password receives a strength rating:
| Rating | zxcvbn Score | Estimated Crack Time |
|---|---|---|
| Critical | 0 | < 1 second |
| Weak | 1 | < 1 hour |
| Fair | 2 | < 1 day |
| Good | 3 | < 1 year |
| Strong | 4 | > 1 year (typically centuries) |
The dashboard lists all records with Critical and Weak passwords first, with a one-click Generate New Password button to replace each one. After generating a new password, SyVault prompts you to visit the site and update the password there as well.
Use the Sort by strength option to quickly find and fix your weakest passwords first. Improving even a handful of critical passwords can significantly boost your score.
Reused Password Detection
Reusing passwords is one of the highest-risk behaviors in credential security. If one site is breached, every account sharing that password is compromised.
The dashboard identifies groups of records that share the same password:
- Each group is displayed with the reuse count (e.g., "Password used on 4 sites").
- Click a group to see which records share the password.
- A Fix button opens a flow to generate a unique password for each record.
All comparison happens locally. Passwords are never sent to the server for comparison. SyVault computes a hash of each plaintext password in memory and compares hashes.
Old Password Detection
Passwords that have not been changed in more than 180 days are flagged as stale. While password rotation for its own sake is no longer universally recommended, monitoring password age helps identify accounts you may have forgotten about or credentials from before you started using strong, unique passwords.
The dashboard shows:
- Number of passwords older than 180 days.
- A sortable list with the last-changed date for each.
- Recommendations prioritized by the combination of age and weakness.
Focus on changing passwords that are both old AND weak or reused. A strong, unique password that is 2 years old is far less urgent than a weak, reused password that is 6 months old.
Breach Monitoring
SyVault checks your credentials against known data breaches using the Have I Been Pwned (HIBP) k-anonymity API:
- Each password is hashed with SHA-1 locally.
- The first 5 characters of the hash are sent to the HIBP API.
- HIBP returns all known breach hashes that share that 5-character prefix (typically 500-800 hashes).
- SyVault checks locally whether the full hash appears in the returned set.
Your passwords never leave your device. The k-anonymity model ensures that HIBP cannot determine which hash you are checking. This check runs automatically when you open the Security Dashboard and can be triggered manually with the Refresh button.
Breached passwords are flagged with a red warning icon and should be changed immediately.
A breached password means the exact password text has appeared in a known data breach database. Even if the breach was from another site, attackers routinely test breached credentials across thousands of services (credential stuffing). Change breached passwords immediately.
Email Breach Monitoring
In addition to password checks, SyVault can monitor your email addresses against HIBP breach notifications:
- Go to Settings > Security > Breach Monitoring.
- Add the email addresses you want to monitor.
- SyVault checks periodically (daily) and notifies you if your email appears in a new breach.
This feature alerts you even when the breached password is not one you stored in SyVault, helping you stay aware of your overall exposure.