Check Passwords Against Breached Passwords

Google Chrome’s password manager has a feature that checks to see if any of your passwords were involved in a breach. It also checks for other weaknesses in passwords like reusing passwords or weak passwords and gives an assessment report. It would be amazing to be able to schedule this service to run at reoccurring intervals. This would really improve the value of the password manager and the security features of Brave as a whole to keep users better protected from cyber security threats.


That’s because Google stores your passwords on their servers and knows all of your data. Brave doesn’t ever look or analyze our passwords and other personal data.

I was only providing Google as an example. I’m not suggesting it be implemented the same way.

Understood. I just used them as an example as well. The problem on being able to check passwords against breaches and all would require the browser to monitor your passwords and everything. This generally goes a step in the wrong direction for a company like Brave that is all about privacy.

I know also some websites like https://haveibeenpwned.com/ or https://cybernews.com/personal-data-leak-check/ exist to help figure out where some breaches have occurred.

That said, I’m not sure what the best option would be around this. Currently there’s a big push for people to stop using passwords and to instead move to things like passkeys as they are much safer in general.

In any case, let me tag in @fmarier and @clifton to see if either might be willing or able to speak on whether Brave might be considering anything on this and what they suggest for users.

I think this is oversimplifying a bit. I believe Brave has become popular because it balances privacy with usability. For example anyone who wants absolute privacy would disable JS, Brave doesn’t by default because it makes the web much less usable. Additionally Brave recently removed the strict option under block fingerprinting partially because it breaks compatibility with some sites. There are already some browsers that take a very aggressive approach like Tor; Brave strikes a nice balance which gives it mainstream appeal.

I do know about those websites, just looking for a solution that is more automated.

Thanks for sharing about passkeys, I had not heard about them before. I’ll admit I dont really understand it, but I’m all for increased security and less passwords! Hopefully the industry can adopt them quickly.

Anyway thanks for the discussion and thanks for forwarding this on!

1 Like

I agree that it would add a lot of value to Brave. This is something that we’ve been wanting to do for a while but haven’t gotten around to yet:

It turns out that one can use fancy cryptography to check whether or not locally-stored passwords are part of a list of compromised passwords hosted on a server without sharing the passwords with the server. So it can be done in a privacy-conscious way. Our Research team has prototyped such a system. Of course, one of the problems that one has to solve in order to provide a useful service is to get enough fresh data about compromised accounts and passwords.

All of this to say that we don’t have it yet, but we have done some work around trying to find a “Brave way” of doing this. You can subscribe to the above GitHub issue if you’d like to receive an update when we have more to share about that feature.

3 Likes

What a smart solution! Thank you so much for you hard work on an amazing piece of software!

1 Like