See exactly how healthy your team's vault is — weak, reused, stale and breached credentials, scored from 0 to 100, all analysed in your browser.
In short
SealedKeys includes a built-in security dashboard that scores your vault from 0–100 and flags weak, reused, stale and breached credentials. The analysis runs in your browser on already-decrypted data, and breach checks use Have I Been Pwned k-anonymity so your passwords never leave your device. On top of that, proactive monitoring checks your account email against the breach database on a schedule and emails you when it appears in a new breach — so even your security audit stays zero-knowledge.
Every login password is scored for strength. Anything weak or only fair is flagged so you can replace it with a generated one.
Passwords and API keys reused across multiple items are detected — one leaked credential should never unlock several accounts.
Secrets that haven't been rotated in over 90 days are surfaced, with higher priority past 180 days.
On demand, each password is checked against the Have I Been Pwned database of known breached credentials — without the password ever leaving your device.
Beyond on-demand checks, we monitor your account email against the breach database on a schedule and email you the moment it appears in a new breach. On by default.
Most breach tools ask you to hand over an email address or credential to a third party. SealedKeys uses k-anonymity instead. Your password is hashed with SHA-1 locally, and only the first five characters of that hash are sent to the Have I Been Pwned range API. The match is resolved in your browser — the password itself, and the rest of its hash, never leave your device.
On-demand checks are good, but breaches don't wait for you to log in. SealedKeys continuously monitors your account email address against the Have I Been Pwned breach database and emails you the moment it shows up in a new breach. Because we only ever check the email we already hold — never a vault secret or your master password — proactive monitoring stays fully consistent with zero-knowledge.
Every issue the dashboard finds is graded by severity and rolled into a single 0–100 health score, so your team always knows where it stands at a glance. Critical problems weigh most; the score is normalised against vault size so it stays fair whether you store 10 secrets or 1,000.
Fix a flagged item and the score moves immediately — there's no waiting for a server-side scan, because there isn't one.
Four things: weak passwords (scored for strength), reused secrets (the same password or API key used across multiple items), stale credentials (not rotated in over 90 days), and breached passwords (matched against the Have I Been Pwned database). Each issue is graded by severity and rolled into a single 0–100 vault health score.
It uses k-anonymity. Your password is hashed with SHA-1 in your browser, and only the first five characters of that hash are sent to the Have I Been Pwned range API (with extra padding). The API returns a list of hash suffixes, and the match is found locally. Your actual password — and the rest of its hash — never leave your device.
There are two layers. From the dashboard you can check your passwords against a large database of credentials exposed in known breaches, on demand, using a privacy-preserving method. On top of that, SealedKeys now runs proactive breach monitoring: we automatically check your account email address against the Have I Been Pwned breach database on a schedule and email you whenever it appears in a new breach. It's on by default and can be turned off in Settings → Security.
No. Proactive monitoring only checks your account email address against the Have I Been Pwned breach database on a schedule — the same email you log in with, which the server already holds. It never touches a vault secret, a stored password, or your master password, so it's fully consistent with zero-knowledge. When your email turns up in a new breach we email you so you can rotate any affected external accounts; your encrypted SealedKeys vault is never the thing that was breached. It's on by default and can be switched off in Settings → Security.
Each detected issue deducts points weighted by severity — critical issues weigh most, then high, medium and low. The total deduction is normalised against your vault size and subtracted from 100, giving a score from 0 to 100. A smaller vault with one weak password is penalised more than the same issue in a large, otherwise-healthy vault.
No. The entire analysis runs client-side, in your browser, on items that are already decrypted there. The server never sees your plaintext secrets or your health report — the same zero-knowledge guarantee that applies to the rest of SealedKeys applies here too.
Free to start. 25 items free forever. No credit card required.