Frequently Asked Questions

Yes, completely and permanently free. No plans, no subscriptions, no signup required. All tools are available to everyone without any account or payment.

Cyberscan is an independent project built to make everyday security checks accessible to everyone. It is not affiliated with VirusTotal, Google, Cloudflare, or any other company whose infrastructure it uses. For contact details, see our About page.

The Password Checker and Password Generator work entirely offline — they run in your browser with no network access required after the page first loads. The Email Breach Check, URL Scanner, Hash Generator (for files) and QR Reader require an internet connection because they rely on external APIs or need to load libraries.

Yes. Cyberscan is a PWA (Progressive Web App). On Android, tap the browser menu and select "Add to Home Screen." On iOS, use Share → "Add to Home Screen." On desktop Chrome or Edge, look for the install icon in the address bar. Once installed, it behaves like a native app.

Yes. The Password Checker and Generator run entirely in your browser. Your password is never transmitted anywhere. To verify this yourself, open your browser's DevTools (F12) → Network tab, then test a password — you will see zero outgoing requests related to the password field. You can also disconnect your internet connection and both tools continue to work normally.

No. Cyberscan does not collect, store, sell, or share any personal data. We have no advertising partners, no analytics provider, and no data broker relationships. See our Privacy Policy for full details.

The Email Breach Check uses the XposedOrNot public API, which aggregates records from hundreds of confirmed data breach incidents. Your email is forwarded to their API via our server-side proxy and immediately discarded — Cyberscan never stores it. XposedOrNot is an independent, community-maintained breach notification project similar in purpose to HaveIBeenPwned.

Your URL is forwarded from our Cloudflare Worker to the VirusTotal API (operated by Google LLC) for analysis. VirusTotal may log submitted URLs in accordance with their own privacy policy. Cyberscan does not log the URL. Note that VirusTotal URLs are publicly visible in their database — do not scan URLs containing sensitive tokens or credentials.

A strong password is necessary but not sufficient. It also needs to be unique (not reused on other sites), stored in a password manager rather than written down, and protected with two-factor authentication on important accounts. A strong password that was reused on a breached site is compromised regardless of its strength score.

Trust your instincts. Newly registered malicious domains may not yet appear in any threat database — this is called a "zero-day phishing site." If a URL came from an unexpected email, text, or social media message asking you to log in or enter personal data, treat it as suspicious regardless of the scanner result. Navigate to the site directly by typing the domain into your browser instead of clicking the link.

Not necessarily. Many data breaches are never publicly disclosed, and breach notification databases only contain incidents that have been discovered and verified. A clean result means your email has not appeared in any known, publicly reported breach — which is good news, but not a guarantee. Using unique passwords per site and enabling two-factor authentication remains important regardless of your breach status.

A hash is a fixed-length "fingerprint" of a file. If even one byte of the file changes, the hash changes completely. When a developer publishes software, they often publish the SHA-256 hash of the installer alongside it. After downloading the file, paste it into the Cyberscan Hash Generator, generate its SHA-256 hash, and compare it character-by-character with the published one. An exact match confirms the file is authentic and unmodified during transit.

Length matters far more than complexity. A random 16-character passphrase is harder to crack than an 8-character password with special characters. The gold standard is a password that is long (16+ characters), random (generated by a password manager, not a human), unique (never reused), and stored safely (in a manager like Bitwarden or 1Password, never in a browser's saved passwords for sensitive accounts).

In order of security: hardware security keys (YubiKey) are the strongest and immune to phishing. Authenticator app OTPs (Google Authenticator, Aegis, Authy) are excellent for most users. SMS-based codes are better than nothing but vulnerable to SIM-swap attacks. Avoid SMS 2FA for high-value accounts like email and banking if you have an alternative. Start with your email account — it is the master key to every other account's password reset.

These are almost always scams — specifically a type called "sextortion" or "credential stuffing" phishing. The email typically claims to have your password (sometimes showing an old one from a data breach to seem credible) and threatens to release compromising material unless you pay in cryptocurrency. Do not pay. If the password shown is one you still use anywhere, change it immediately and enable 2FA on that account. The Email Breach Check can help you find which breach it came from.