KeePass Password Health Check

Find weak, duplicate, and expired passwords in your KeePass .kdbx file — directly in your browser. The file never leaves your device.

🔐
Drop your .kdbx file here, or click to browse
KeePass 2 / KeePassXC format (.kdbx)
🛡️ Your file is decrypted and analyzed entirely inside your browser using the open-source kdbxweb library. No data is sent to any server. You can verify this by checking network requests in your browser's DevTools.

How it works

This tool performs three independent checks against every entry in your KeePass database:

⚠ Weak passwords

Each password is scored 0–4 by zxcvbn, Dropbox's open-source strength estimator. Scores 0 and 1 are flagged as weak or very weak — these are passwords that could be cracked in under a day on commodity hardware.

⚠ Duplicate passwords

All passwords are hashed in-memory and grouped by identical value. Entries that share a password are listed together — if one service is breached, every reuse is at risk.

⏰ Expired entries

Any entry where KeePass has recorded an expiry date in the past is listed here. KeePass lets you set per-entry expiry, and this check surfaces any that have silently lapsed.

✓ Privacy guarantee

The .kdbx file is decrypted using kdbxweb entirely in your browser's memory. There are zero network calls during analysis. Close the tab to wipe all data from memory.

Frequently asked questions

Is my KeePass file actually safe to use here?
Yes. The page runs entirely client-side JavaScript — there is no backend, no database, and no analytics that capture your data. The kdbxweb library decrypts your file locally using the master password you type, performs the analysis in memory, and discards everything when you close or refresh the tab. You can confirm this yourself: open DevTools → Network tab → reload and run an analysis. You will see zero outbound requests carrying your file or passwords.
What does a zxcvbn score of 0 or 1 actually mean?
zxcvbn simulates a realistic offline attack — dictionary words, common substitutions (p@ssw0rd), keyboard patterns (qwerty), and date sequences. Score 0 means the password would be cracked instantly (fewer than 100 guesses). Score 1 means it falls in fewer than 10,000 guesses — seconds on modern hardware. Scores 2–4 indicate hours to centuries of cracking time. Anything scoring 0 or 1 should be changed immediately, especially for important accounts.
My database uses a key file instead of (or in addition to) a master password — is that supported?
Key file support is not yet implemented in this tool. Currently only master-password-protected databases (or databases with no master password) are supported. If your database requires a key file, the decryption will fail with an error. Key file support is on the roadmap.
How do I set expiry dates in KeePass or KeePassXC?
In KeePassXC: open an entry → go to the Properties tab → check "Expires" and pick a date. In KeePass 2: double-click an entry → Properties tab → tick "Expires". Any entry with a past expiry date will appear in the Expired tab of this checker. Setting a 90-day or 180-day expiry on critical accounts is a good practice to force periodic rotation.