Forum Discussion
Suhrid_Palsule
Microsoft
Jun 24, 2020Use Password Monitor to help protect your passwords online
Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Each year, hundreds of millions of usernames and passwords are exposed online when websites or apps—for example, the kind we use to order products—become the target of data breaches.
These leaked username and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. When an account is taken over, its owner can be the target of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
Though people are regularly cautioned against reusing the same username and password combination for more than one online account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.
Password Monitor helps Microsoft Edge customers protect their online accounts by informing them if any of their passwords that have been compromised, so they can update them. Changing their passwords immediately is the best way to prevent their accounts from being hijacked.
How Password Monitor works
After you turn on Password Monitor, Microsoft Edge begins proactively checking the passwords you’ve saved in the browser against a large database of known breached credentials that are stored in the cloud. If any of your passwords match those in the database, they will be shown on the Password Monitor page in Settings > Profiles > Passwords > Password Monitor. Passwords listed there are no longer safe to use and need to be changed immediately.
When your credentials are checked against the database of known leaked credentials, powerful encryption helps prevent your information from being revealed to anyone. Information about which password has been compromised is only available to you.
Turn on Password Monitor
To turn on Password Monitor:
- Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account.
- In your browser settings, go to Profiles > Passwords.
- Turn on the toggle next to “Show alerts when passwords are found in an online leak”. After the toggle is turned on, any unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.
What to do if you discover your password is unsafe
- Go to Settings > Profiles> Passwords > Password Monitor.
- For each account where your password is shown to be unsafe, select the Change Password button. You’ll be taken to the relevant website. Change your password.
- If an entry in the list of compromised passwords is no longer relevant to you, you can ignore it by clicking Ignore.
- khadiga_salaCopper Contributor
- KamSilver Contributorkhadiga_sala What?
- rutra80Copper ContributorDoes it send encrypted passwords or hashes only?
- euhn_outerCopper Contributor
Does this feature actually scans for password or does it just try to match the website URL and email address? Because I have a few hits that are very unlikely to have been leak as there's no recent data leak/hack on those sites since the last time I changed password there and it is a unique password so it cannot come from other site being hacked. (ex: bestbuy.ca)
- BamatamiCopper Contributor
I keep getting alerts that my passwords have leaked online to the same websites over and over again, after I have changed my password(s). When I check the password, it still shows the old one that I have already changed. This is so frustrating!! I had 25 passwords leaked on a scan last night and on probably 90% of them, I had already changed the password. Is this a glitch in the system? I want to continue to have my passwords monitored, but not if this redundancy doesn't stop! Thanks!Suhrid_Palsule
- Suhrid_Palsule
Microsoft
Hi Bamatami,
Sorry you faced this! Password Monitor checks all username-password combinations stored in Microsoft Edge, regardless of whether they are valid or stale credentials.
In order to avoid getting alerts for older passwords (which are no longer valid), you can delete those specific entries from the browser by going to Settings > Profiles > Passwords.
Let me know if this answers your question! 🙂- BamatamiCopper ContributorThanks Suhrid!!
- Dennis5mileSilver Contributor
Ok, this password manager and all that went with it, seems to have disappeared in this latest version of Can.. Version 87.0.644.0 (Official build) canary (64-bit).
Is this intentional?
Dennis5mile
- Suhrid_Palsule
Microsoft
hiDennis5mile
thanks for bringing this to our attention! this should not happen, as Password Monitor is available for 100% of Canary and Dev users. Do update to the latest version or restart your browser if you're already using the latest, and let me know if the issue persists.- Dennis5mileSilver Contributor
Thanks for the reply,
As of Version 87.0.657.0 (Official build) canary (64-bit) everything appears to beback to normal.
Dennis5mile
- mgw000Copper Contributor
I have just, unintentionally, tried Password Monitor. It seems like a good feature. When I used it for the first time it told me that 2 of my passwords were unsafe. This caught my attention! It turns out that the two passwords were for 192.168.1.x. These are not used on any of my network machines but were presumably, from my having been on some other private network at some time.
My suggestion is that 192.168.x.x and 10.0.x.x be excluded from the scanning.
It is a good feature apart from giving me high blood pressure!
- Suhrid_Palsule
Microsoft
Hi mgw000, glad you found the feature useful! Password Monitor scans and notifies the user of all compromised passwords, without exception. However, we hear you about excluding IP Addresses from the scan; many users unfortunately use weak passwords for networks, routers and such. To that end, there's an easy to use 'Ignore' button that moves such password entries into an ignore tray - from which point on, there will be no further action sought on them by the browser.
Let us know if this answers your question.- lwetzelBrass Contributor
When will the Password Monitor feature show up in the release version of Edge? I have a Chrome extension that this morning advised me that it will not work after today since it will be in Chrome. So when Will it be in Edge or do I have to go to the Dev release?
- Dennis5mileSilver Contributor
Love how this is all falling into place. Love the setup/design..
Great Job all!
Dennis5mile
Suhrid_Palsule I certainly like this feature, but have a couple of enhancements:
- In addition to being able to Ignore the "leaked password," please add the option to just delete it from my saved passwords. All of the passwords that have shown up in this list are old accounts that are no longer valid. Since I have hundreds of saved passwords, manually finding and deleting could be made much simpler by just letting the user delete them.
- Add the ability to see list of ignored password. I initially chose to ignore. When I went back to find them and manually delete them, I can find that list since I no longer get the warning that takes me to the list.
Thanks!
- Suhrid_Palsule
Microsoft
Don Kirkham
These are valid points, Don. Both will be taken into consideration as the feature design evolves. Thank you!
- Didier_DanloyBrass Contributor
Suhrid_Palsule Great feature indeed. Looking forward to have this
- desertcoderCopper Contributor
Suhrid_Palsule I have received alerts that passwords have been leaked for localhost. I don't have IIS, apache or any web server running locally. I recognize one of the usernames, but of course I cannot change any credentials for localhost. I've attached a screenshot from my profile settings. How were these leaked passwords for localhost detected? Thanks in advance.
- Suhrid_Palsule
Microsoft
Hi desertcoder, thank you for your feedback. All username-password pairs stored in Microsoft Edge are automatically scanned to check if they've been leaked online in a previous breach. This includes localhost sites as well. For alerts that you might not want to act upon right now, you can move the same to the 'Ignored alerts' section.