BreachWatch Commands

This page shows commands related to BreachWatch and their responses.

Overview

BreachWatch is a powerful, secure add-on feature that monitors the internet and dark web for breached accounts matching records stored within your Keeper Vault. BreachWatch delivers the most in-depth monitoring available to the public with a database of over a billion records while upholding Keeper's state-of-the-art, zero-knowledge security architecture. More details can be found here.

User Experience

To sign up for BreachWatch from Keeper's Web Vault or mobile app, navigate to the BreachWatch screen and follow the on-screen prompts. You can also purchase BreachWatch directly from the Keeper Security website. After signup, BreachWatch performs a local scan of passwords that are currently stored in your Keeper vault.

BreachWatch Supports 4 Commands in SDK.

  1. BreachWatch List

  2. BreachWatch Scan

  3. BreachWatch Password

  4. BreachWatch Ignore

BreachWatch List

The breachwatch list command lists Keeper Vault records and their associated password breach status as detected by the BreachWatch service. It helps identify weak, reused, or breached passwords in your vault.

DotNet CLI

Command: breachwatch list

Flags:

  • — numbered: This flag displays breachwatch records in a serial numbered order

  • — owned: This flag displays breachwatch records which belong to the owner

  • — all: This flag displays breachwatch record which the current user has access to. There can be both owned records and records which are shared to user which have a different owner.

Example:

My Vault> breachwatch list --numbered --owned
S.No  Record UID              Title                      Description        
----  ----------------------  -------------------------  -------------------
2     record_uid              DemoRecordForWeakPassword  [email protected]      
1     record_uid              breachwatchIgnoreTest3     [email protected]
3     record_uid              DemoBreachWatchRecord
DotNet SDK

Function: BreachWatchRecords()

The below call can be made provided that vault is initiated and synced.

Example:

var records = vault.BreachWatchRecords()
.Where(x => x.Status == BWStatus.Weak || x.Status == BWStatus.Breached)
.Where(x => !BreachWatchIgnore.IsRecordIgnored(vault, x.RecordUid)) 
.Select(x => x)
PowerCommander

Command: Get-KeeperBreachWatchList

Flags: 

OwnedOnly - Shows records from breachwatch belonging to user
All - Shows all records from breachwatch which user has access to
Numbered - Shows serial number in result

Example:

PS> Get-KeeperBreachWatchList -OwnedOnly -Numbered

S.No Record UID             Title                     Description
---- ----------             -----                     -----------
   1 record_uid             breachwatchIgnoreTest3    [email protected]

Python CLI

Command: breachwatch list

Options:

  • -n --numbered Displayed records as a numbered list

  • -a --all Display all breached records (default - first 30 records)

  • -o --owned Display only breached records owned by user

Example:

My Vault> breachwatch list

Detected High-Risk Password(s)

Record UID              Title                       Description
----------------------  --------------------------  ----------------
record_uid              hello new shortcut changed  [email protected]
Python SDK

Function: breach_watch_records

record_uids = {x.record_uid for x in context.vault.vault_data.breach_watch_records() if x.status in (client_pb2.BWStatus.WEAK, client_pb2.BWStatus.BREACHED)}
records = [x for x in context.vault.vault_data.records() if x.record_uid in record_uids and (x.flags & vault_record.RecordFlags.IsOwner if owned_only else True)]

BreachWatch Scan

The breachwatch scan command is used to submit newly created or updated passwords in your vault for BreachWatch scanning. This scan detects whether the password is reused, weak, or compromised.

Use it after creating or modifying records with passwords, especially if they were added outside of Keeper apps (e.g., via: Commander CLI, API scripts etc).

DotNet CLI

Command: breachwatch scan

Example:

My Vault> breachwatch scan           
No records found to scan or all eligible records have already been scanned.
DotNet SDK

Function: ScanAndStoreRecordStatusAsync

This function requires record Uids as a list of string

Example:

await vault.ScanAndStoreRecordStatusAsync(recordUids);
PowerCommander

Command: Not Supported

Python CLI

Command: breachwatch scan

Parameters:

  • -r --records Record UIDs to be scanned

Example:

My Vault> breachwatch scan -r <record_uid>
Breachwatch: 1 password(s) to scan
Scan completed for record <record_uid>. Status: WEAK
Python SDK

Function: scan_and_store_record_status

bw_password = vault.breach_watch_plugin().scan_and_store_record_status(
                record_uid=record_uid,
                record_key=record_key,
                password=password
            )
            ##fetch the record key and password of the record to be scanned

BreachWatch Password

breachWatch password is a Keeper security feature that continuously monitors your stored vault passwords for exposure in public data breaches. It analyses passwords using zero-knowledge encryption to determine if they are Safe or not.

DotNet CLI

Command: breachwatch password

Example:

My Vault> breachwatch password 
Password to Check: *************
Scanning 1 password(s)...
   *************: GOOD
DotNet SDK

Function: ScanPasswordsAsync Example:

public static async Task<List<(string Password, HashStatus Status)>> ScanPasswordsAsync(
            IEnumerable<(string Password, byte[] Euid)> passwordEntries,
            CancellationToken cancellationToken = default)
PowerCommander

Command: Test-PasswordAgainstBreachWatch

Example:

PS> Test-PasswordAgainstBreachWatch
Password to Check: ************
Scanning 1 password(s)...
Processing 1 result(s)...
    ************: WEAK | Strength: System.Object[] (Score: 0)
Python CLI

Command: breachwatch password

Parameters:

  • passwords Input passwords to be scanned

Example:

My Vault> breachwatch password testpassword
    testpassword: BREACHED
Python SDK

Function: scan_passwords

breach_watch = vault.breach_watch_plugin().breach_watch.scan_passwords(passwords)
##Pass a list of password strings to be scanned

BreachWatch Ignore

breachWatch ignore is a feature that allows users to suppress alerts or warnings for specific password records that have been flagged as weak, reused, or breached by Keeper's BreachWatch service.

This is useful when a user or admin acknowledges a password issue but decides not to take immediate action — for example, when a record is:

  • Used for legacy systems

  • Not critical or already protected by other means

  • Already being remediated

DotNet CLI

Command: breachwatch ignore

Example:

My Vault> breachwatch ignore record_uid            
Record (UID: record_uid) has been ignored.
DotNet SDK

Function: IgnoreRecord

Example:

await BreachWatchIgnore.IgnoreRecord(vault, recordUid);
PowerCommander

Command: Set-KeeperBreachWatchRecordIgnore

PS> Set-KeeperBreachWatchRecordIgnore -RecordUids record_uid                            
System.Threading.Tasks.VoidTaskResult
Record 'breachwatchIgnoreTest3' (UID: record_uid) has been ignored.
Python CLI

Command: breachwatch ignore

Parameters:

  • records Record UIDs of records to be removed from breachwatch

Example:

My Vault> breachwatch ignore record_uid
record_uid: success 
Syncing...
Python SDK

Function: Not Supported

PreviousSecrets Manager Share CommandsNextEnterprise Management Commands

Last updated

Was this helpful?