Frequently Asked Questions

Short answer: Yes. We don't collect or store the passwords you enter on this site. (Keep reading for more information and technical details.)

To start with, we'll explain how the site works. We use two third-party solutions to check passwords. Both have an excellent reputation among cybersecurity pros. The first solution is an algorithm that we use to check passwords for resistance to brute-force attacks. This tool allows us to quickly calculate the approximate time it would take to brute-force the password on an average PC. The algorithm factors in the use of dictionaries and lists of common combinations of characters in English. Rest assured, the password you enter is not sent or saved anywhere. The second solution is Have I Been Pwned, which matches the entered password against databases of leaked accounts. Have I Been Pwned was created by renowned cybersecurity expert Troy Hunt, and it has become the de facto industry standard in recent years for checking passwords and accounts for leaks. The site hosts one of the most comprehensive and regularly updated collections of leaked accounts in the world. Does Have I Been Pwned secretly harvest users' passwords? Very unlikely, but just in case, we do not directly hand over the password that you enter. Instead, we use a so-called password hash — an encrypted value that can be used to check for the presence of a database entry, but not to calculate the password itself (at least, not without extreme difficulty). Learn more. What's more, we regularly check the security of our website and use secure data transfer (SSL/TLS). Some browsers may offer to save the password you enter on the site, or use one already saved for this domain (for example, for My Kaspersky). We do not recommend saving passwords in the browser, because it is not the most reliable storage method.

Okay, let's hypothetically assume that, despite the above security measures, someone is able to intercept the password you enter. To use it, they would also need to know your username. Without that, the password itself is useless. It analogous to losing your house key somewhere on a busy highway in another country. Unless the key has a tag with your address or some other identifier, losing it does not threaten the security of your home. Ditto for passwords. To be sure of your anonymity, visit the site in incognito mode (supported by all popular browsers). And it's a good idea to use a VPN.

Here's how to come up with an unbreakable password:

• First, make it long — at least 8 characters, but preferably longer.
• Second, use a good mix of characters. A strong password consists of a variety: upper- and lower-case letters, numbers, special symbols. That makes it less predictable and thus harder to crack.
• Third, make it memorable. The friendly password 12345-humpty-dumpty-satonthe-firewall and the scary combination ?Y]G9gWJ48zYkFBc@{nKw!’q are roughly equal in strength, but you’re unlikely to remember the latter. When devising a password, use mnemonic rules or invent your own system.
• Fourth, make it unique. Create a new password for every service that you use. That way, if one gets leaked, you won't have to change them all.

And to avoid having to remember lots of passwords and log in every time, use a password manager. For example, try Kaspersky Password Manager.

• First of all, use strong and unique passwords. Read more about how to come up with a strong password in this blog post.
• Enable two-factor authentication wherever possible. That way, in addition to needing your username and password, an attacker would also need a one-time code to log in to your account. You can receive this code in an text message or generate it in an authentication app (for example, Google Authenticator). Some sites let you use an authentication device (for example, YubiKey) as a second factor. Read more about two-factor authentication in this post.
• Check where and when your account was accessed. Many sites and apps let you view your login history and find out where you are currently signed in. If you suspect someone logged in to your account from an unfamiliar device, log it out (if necessary) and change the password to be on the safe side.
• Carefully choose the security info for restoring access to your account. Do not use answers to control questions that someone can easily google or guess — or that you yourself might forget.