← All posts
Jun 30, 2026

Weavestream Checks Every Password Against Have I Been Pwned — Without Sending Your Passwords Anywhere

Weavestream's built-in breach detection flags compromised credentials the moment they're saved — using a k-anonymity lookup that never sends the actual password to any external service.

There’s a category of security problem that most IT documentation platforms quietly ignore: the credentials you’ve already stored might be compromised. Not because someone broke into your vault, but because the service they protect was breached at some point, and the password leaked into one of the major credential dump databases months or years ago.

Weavestream addresses this out of the box. Every time a credential is created or updated in the vault, Weavestream automatically checks the password against the HaveIBeenPwned database and flags it if the password appears in known breach data. For MSPs managing credentials across dozens of clients, this turns a problem that’s easy to miss into one that’s impossible to ignore.


Why Stored Credentials Go Stale in Ways You Don’t Notice

The visible failure mode for a password vault is a breach of the vault itself — someone gets in, credentials leak. That’s what most security attention focuses on, and it’s why encryption matters.

The quieter failure mode is different. A client’s Microsoft 365 admin password was set three years ago, synced to nothing, changed by nobody, and sitting unchanged in your vault. Meanwhile, the email address attached to that account appeared in a breach dump 18 months ago, along with the same password pattern the client was using across services at the time.

Your vault is secure. The password inside it is not.

This is the problem HIBP breach checking solves. Instead of relying on someone remembering to rotate credentials periodically, Weavestream checks every password against breach data automatically — at the moment of creation and every time it’s updated. You don’t need a separate tool, a manual export, or a vulnerability scanner. The check runs as part of saving the record.


How the Check Works — Without Sending Your Passwords Anywhere

The obvious concern with checking passwords against an external database is that you’d be sending sensitive credentials to a third party. Weavestream doesn’t do that. The check uses k-anonymity — a lookup method specifically designed to query breach databases without revealing the queried value.

Here’s what actually happens:

  1. The candidate password is hashed with SHA-1 on the Weavestream server.
  2. Only the first 5 hex characters of that hash are sent to the HaveIBeenPwned API.
  3. The API returns a list of hash suffixes that match that 5-character prefix — typically hundreds of entries.
  4. Weavestream compares the full hash against the returned list locally.
  5. If the full hash appears in the list, the password is flagged as compromised. If not, it passes.

The full hash never leaves your server. The cleartext password never leaves your server. The 5-character prefix reveals nothing meaningful — it’s shared by thousands of different passwords. This is the same technique browsers and password managers use when they offer breach checking, and it’s been independently verified as safe.

For MSPs running Weavestream in a restricted network environment, HIBP checking can be disabled with HIBP_ENABLED=false in the .env configuration if outbound access to api.pwnedpasswords.com isn’t available.


What Happens When a Breach Is Detected

When a password matches a known breach record, Weavestream flags the credential directly in the vault interface. The record is marked as compromised, making it visible without requiring anyone to run a report or audit manually.

This matters for MSPs because the vault can span hundreds of credentials across dozens of clients. A flag at the record level means the issue surfaces exactly where the credential is managed, by whoever opens that record next — not buried in a separate security report that gets reviewed quarterly.


This Is a Compliance Control, Not Just a Convenience

For MSPs working with clients who have security requirements — whether that’s cyber insurance, SOC 2, Cyber Essentials, or a client’s own internal IT security policy — breach detection on stored credentials is increasingly expected as a baseline control.

The relevant question in a security review isn’t just “are your passwords encrypted?” It’s also “do you have a process for identifying compromised credentials?” With Weavestream’s automatic HIBP checking, the answer is yes, and it’s demonstrably automatic rather than depending on someone remembering to run a check.

Combined with Weavestream’s reveal audit trail (which logs every access to a credential with actor, timestamp, and IP) and version history (which records every change to a credential, with before-and-after values), the vault gives MSPs a documented credential security posture: credentials are checked against known breaches at creation and update, access is logged, and changes are retained indefinitely.

That’s a materially stronger answer than most standalone credential vaults or legacy IT documentation platforms can offer.


The Broader Vault Picture

Breach detection is one layer in Weavestream’s credential security stack. The others:

  • AES-256-GCM encryption at rest — with envelope encryption and support for key rotation without data loss
  • TOTP storage — authenticator-app two-factor secrets stored encrypted alongside the password
  • Per-password access controls — reason-to-view prompts, user whitelists, and client portal visibility flags
  • Version history — immutable before/after snapshots of every credential change
  • Reveal audit trail — tamper-resistant log of every time a credential is decrypted and displayed
  • Strength scoring — real-time zxcvbn-ts analysis showing weakness warnings and suggestions

Breach detection sits at the entry point of this stack. If a compromised credential is caught when someone tries to save it, none of the downstream controls need to deal with the fallout of that credential being used.


Getting Started

Breach detection is active by default in every Weavestream deployment — no configuration required. When you create or update a credential, the HIBP check runs automatically in the background.

If you’re onboarding an existing client’s credentials into Weavestream for the first time, each credential gets checked as it’s entered. It’s a useful forcing function: credentials that have been sitting unchecked in a spreadsheet or a previous documentation platform get evaluated against current breach data the moment they’re migrated across.

Weavestream is free, self-hosted, and open source. Find out more at weavestream.io.

← All posts