Password Monitor is now available in Microsoft Edge preview builds

martmcd I have a question; once monitor finds password intrusion, how do we know which one ? or are we to change them all? please help !

martmcd well, the monitor would notify you of that , plus the passwords would be hashed and salted to make it more tricky, if they stored your password.

If they don't store passwords, then they'll need to have the username and url to actually make it work as you cannot overwrite usernames in all sites as that would be a security issue. If that was the case on a webpage, the developers might as well allow code-injections like DROPTABLE because you could then just overwrite it and the account data would be gone for everyone.

The process could also be done locally (on the computer) too instead of the server although it would be, depending on your computer, slower.

Hi martmcd, 

Not just Microsoft ... this same question has been posed to several other Password Managers (both browser built-in and dedicated applications) for many years now. It is also the subject of much research and there are several publications on this subject. 

The short answer is that a user is much better-off using a Password Manager than not using one. Not using a password manager leads to poor password habits that increases risk for the user. And Password Manager applications employ extensive security protections and precautions to prevent such an event from occuring. You can read more about this subject, here: https://techcommunity.microsoft.com/t5/articles/autofill-blog-2-password-security/m-p/963847