The password check that doesn't ask for your passwords

The problem with password audits

Password managers exist for a reason. They're brilliant at storing, generating, and autofilling credentials. But most people don't use them. Some won't trust them. Others already have a system (even if it's a terrible one) and can't be bothered to migrate.

What they do want is honesty about what they're doing wrong. A quick look at their phone's stored accounts, a report on which ones are weak or duplicated, and a nudge toward something better. No selling a premium subscription to a new password vault. Just the facts.

That's what sparked the password health check in ARK Shield. We didn't want to become a password manager. We wanted to audit what people already had and tell them what to fix.

How we read passwords without reading passwords

The technical side is the hard bit. Your phone stores passwords in places we could theoretically access: saved credentials in your browser, accounts registered in iOS or Android system settings, autofill databases. But accessing those directly would require either asking for explicit permission each time (which would be tedious) or storing the passwords ourselves (which we absolutely will not do).

Instead, the password health check works like this. When you run the scan in ARK, we access the list of accounts you've saved on your device, not the passwords themselves. We pull the usernames and the apps or websites they're connected to. That's enough. From there, we check each account against three things: whether it appears in a known breach database (through our HIBP integration), whether it uses a weak or common password pattern, and whether you've reused it elsewhere on your device.

All of this happens on your phone. We never send your passwords anywhere, encrypted or not. The only data we store securely is the breach status of the accounts we find, stored in iOS SecureStore or Android EncryptedSharedPreferences. No plain text. No syncing to the cloud. Just your device, on your terms.

What the audit actually tells you

When the scan finishes, you get a breakdown: which accounts have appeared in public breaches, which ones share a password with another account, which ones use patterns that are too simple. Each finding comes with a one-tap link that takes you directly to the app or website where you can change that password.

We also flag credentials that are just old. If you haven't updated a password in over a year, the check will surface it. That's not because we're paranoid. It's because time-based password rotation, though often dismissed by security experts, does catch people who've had their credentials compromised in breaches that took months to surface.

The whole thing takes seconds. No questionnaire. No waiting for a server response. Your device does the work, reports back what it found, and shows you exactly what to fix.

Why we didn't build a password manager instead

We get asked this a lot. Password managers are valuable. They're also saturated. There are dozens of good ones, and they're doing their job well. ARK was never meant to replace them. We built it to be the honest broker in your security life, the thing that looks across everything on your phone and tells you where the real gaps are.

A password health check fits that mission. It works alongside whatever password strategy you already have, whether that's a manager, a notebook, muscle memory, or pure chaos. It doesn't judge. It just audits and suggests.

The privacy-first approach matters here too. We don't need to store your passwords to be useful. We don't need to sync them across devices or hold them hostage behind a subscription to make money. We can be genuinely helpful without being invasive, which is increasingly rare in security software.

What we learned from launch week

When we first rolled out the password health check in Shield, we expected the breach detection to dominate. People would find out they'd been compromised, panic, and change their passwords. That did happen. But what surprised us was how many users started paying attention to password reuse. They'd see that they'd used the same four variations across thirty accounts, and suddenly the abstract idea of "unique passwords" became concrete.

One user told us they'd spent two hours after the scan just systematically going through their accounts, changing duplicates. They didn't blame us for forcing them to do it. They thanked us for making the problem visible. That matters. Security tools often make people feel stupid or overwhelmed. A good audit just shows you what's true and trusts you to act.