Forum Discussion
MicrosoftPassword Monitor is now available in Microsoft Edge preview builds
We’re delighted to announce that a preview of Password Monitor is now available in the Canary and Dev channels. Microsoft Edge Insiders can try it out on preview builds starting with version 84.0.506.0. Password Monitor is the latest feature we’re adding to the browser to help our customers protect their online privacy and security. Each year, hundreds of millions of personal credentials are exposed online in third-party data breaches and end up for sale on the online black market, often referred to as the Dark Web. Leaked usernames and passwords can be used to gain access to your online accounts via “credential stuffing” attacks. In these attacks, automated scripts are used to try different username and password combinations with the goal of hijacking accounts.
Though users are warned not to reuse the same pair of credentials for more than one account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.
While it’s impossible to prevent leaks from ever happening, you can now browse with more peace of mind, knowing Microsoft Edge has your back with Password Monitor, designed to help you keep your online accounts secure.
How Password Monitor works
After you save your credentials to the browser, Microsoft Edge will begin proactively monitoring them for matches against credentials leaked to the Dark Web. Microsoft has been monitoring for leaked credentials for enterprise customers and their Azure Active Directory (AAD) accounts for years. Password Monitor now brings this service to all customers and accounts.
It checks the credentials you’ve saved in Microsoft Edge against an ever-growing database of usernames and passwords that are known to have been breached, collected by a network of researchers, law enforcement agencies, security teams at Microsoft and other trusted sources. The check is done using enterprise-grade encryption and privacy-preserving techniques. When a match has been found, the unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.
Turn on Password Monitor
In this early preview, Password Monitor is turned off by default and a few steps are required to turn it on.
- Make sure you’re signed-in to Microsoft Edge using your Microsoft account or your work or school account.
- Go to Settings > Profiles> Passwords (or go to edge://settings/passwords) and turn on the toggle next to Show alerts when passwords are found in an online leak
If you’re saving a new password to the browser, you’ll also have the opportunity to turn on the feature by selecting the check box in the Save password notification. Select the check box and then select 'Ok' to turn on Password Monitor for all credentials saved to Microsoft Edge.
If Password Monitor has detected a compromised password, a red badge will show up in the More menu during your browsing session. Selecting the icon in the More menu will show you the password leak notification. Selecting the notification will take you to the Password Monitor page under Settings > Profiles > Passwords. From there, Microsoft Edge will take you directly to the website of the compromised account so you can update your password. Be sure to save your new password to the browser so Password Monitor can continue to work on your behalf.
This is just the beginning for Password Monitor, and we’re excited to continue enhancing the feature. The preview experience today doesn’t include automatic notifications, but we expect to bring you notifications soon. Until then, after you turn on Password Monitor, make sure to check Settings > Profiles > Passwords for alerts about your credentials.
Turn on Password Monitor today and let us know what you think! As we gather feedback and continue to fine-tune the feature, we’ll be rolling it out to a broader audience.
Thank you for being part of our Insider community and trying this early preview.
- Thank you again for this Great Feature!!
Dennis5mile Thank you for sharing Suhrid_Palsule
This is amazing feature and I believe there are people who will just shocked about how many of their passwords have been leaked and I hope they changed it right away.
Suhrid_Palsule Are there additional steps to enable this? I'm not currently seeing it on Version 85.0.552.1 (Official build) dev (64-bit). Or is it geo-restricted?
[Edit - I see now there is a mention at the very bottom of the post that this feature is being rolled out, so I take it that it's not supposed to be available for all insiders right now.]
- Bonjour,
Merci pour cette excellente nouvelle ! Je pourrais enfin me débarrasser de mon gestionnaire de mot de passe tiers. Gracias por incluir tan importante método de contrastar las contraseñas que guardamos. Ahora parece que tenemos mucho má seguridad al navegar en la Web
what happens when microsoft have a leak, ALL passwords are vulnerable?
"all eggs in one basket"
- Suhrid_Palsule
Hi martmcd,
Not just Microsoft ... this same question has been posed to several other Password Managers (both browser built-in and dedicated applications) for many years now. It is also the subject of much research and there are several publications on this subject.
The short answer is that a user is much better-off using a Password Manager than not using one. Not using a password manager leads to poor password habits that increases risk for the user. And Password Manager applications employ extensive security protections and precautions to prevent such an event from occuring. You can read more about this subject, here: https://techcommunity.microsoft.com/t5/articles/autofill-blog-2-password-security/m-p/963847 martmcd well, the monitor would notify you of that
, plus the passwords would be hashed and salted to make it more tricky, if they stored your password.If they don't store passwords, then they'll need to have the username and url to actually make it work as you cannot overwrite usernames in all sites as that would be a security issue. If that was the case on a webpage, the developers might as well allow code-injections like DROPTABLE because you could then just overwrite it and the account data would be gone for everyone.
The process could also be done locally (on the computer) too instead of the server although it would be, depending on your computer, slower.
martmcd I have a question; once monitor finds password intrusion, how do we know which one ? or are we to change them all? please help !
Deeddowdney from what has been said here, i understand you will get a notification that will tell you which one.
perhaps Suhrid_Palsule can confirm, or provide the answer to your question
This feature is awesome!!
I think once you have the notifications sorted, then this will be a feature that will help millions of folk with managing their passwords, and keeping their privacy and information secure.
When the notifications are active. Will there be a pop up box that shows automatically when the browser opens, or do people have to click onto the icon in the top right corner where the ellipsis is?
Nathan,
- Suhrid_Palsule
Hi Nathan_Roberts-SN, the notification will show up automatically.
- we worry about hacker protection issue is very important.
- Suhrid_PalsulePassword Monitor is built as an in-built notification system that lets Microsoft Edge users know which of their passwords have been exposed in a 3rd party data leak by hackers.
If you're referring to this information (of which passwords are compromised) being kept safe from hackers, then for that there are several measures in place to make the storage and transfer of this information more secure using advanced hashing and encryption methods.
This feature works great in the Dev and Canary build. When will this be pushed towards the PROD builds ? We are looking to implement this feature for our endusers. We have just upgraded to Edge Chromium 87.0.664.41 (64bit)
- Suhrid_Palsule
NielsZegers Yes, we are working towards the same and hope to bring it to Stable channel soon 🙂
We will update here once the date is near. Thanks for your patience!
- Suhrid_Palsule
Thank you for your patience, and apologies for the delay!
The feature rollout continues and is made available to an increasing number of users everyday. By mid-April, the latest Stable build (E90), this feature will become available to everyone.
