Have I been ‘pwned’ by Kaspersky?
QI use Kaspersky Password Manager. The company says this employs “zero-knowledge security”, so my data is accessible only to me. Despite this, Kaspersky tells me it can supply a report showing how many times my passwords have been hacked according to the Have I Been Pwned? website ( https://haveibeenpwned.com). Should I be concerned?
AKaspersky’s promise is that the company knows nothing about your data. That’s true, though with one caveat that we’ll explain at the end.
Kaspersky certainly doesn’t know anything about the information that you store in Password Manager. That’s contained wholly within the app on your computer, and encrypted using your master password. It is never transferred unencrypted to Kaspersky (see screenshot ).
When you type your master key into Password Manager the database is decrypted. At that point, if you choose to use the Password Check function 2 then the passwords (but not the usernames) are checked against the Have I Been Pwned? database. You could perform this same search yourself, manually, at https:// haveibeenpwned.com/passwords – and get the same results. So, Have I Been Pwned? gets to see your passwords, not Kaspersky. Neither sees the associated usernames. If you’re uncomfortable with that fact, you shouldn’t use the site.
Finally, know that if you create a Kaspersky account in order to sync your passwords to other devices, then the company will store and potentially share your personal details – but not your encrypted password file – as detailed in its privacy policy, at www.snipca. com/37173.