Forum Discussion
Use Password Monitor to help protect your passwords online
Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Each year, hundreds of millions of usernames and passwords are exposed online when websites or apps—for example, the kind we use to order products—become the target of data breaches.
These leaked username and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. When an account is taken over, its owner can be the target of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
Though people are regularly cautioned against reusing the same username and password combination for more than one online account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.
Password Monitor helps Microsoft Edge customers protect their online accounts by informing them if any of their passwords that have been compromised, so they can update them. Changing their passwords immediately is the best way to prevent their accounts from being hijacked.
How Password Monitor works
After you turn on Password Monitor, Microsoft Edge begins proactively checking the passwords you’ve saved in the browser against a large database of known breached credentials that are stored in the cloud. If any of your passwords match those in the database, they will be shown on the Password Monitor page in Settings > Profiles > Passwords > Password Monitor. Passwords listed there are no longer safe to use and need to be changed immediately.
When your credentials are checked against the database of known leaked credentials, powerful encryption helps prevent your information from being revealed to anyone. Information about which password has been compromised is only available to you.
Turn on Password Monitor
To turn on Password Monitor:
- Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account.
- In your browser settings, go to Profiles > Passwords.
- Turn on the toggle next to “Show alerts when passwords are found in an online leak”. After the toggle is turned on, any unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.
What to do if you discover your password is unsafe
- Go to Settings > Profiles> Passwords > Password Monitor.
- For each account where your password is shown to be unsafe, select the Change Password button. You’ll be taken to the relevant website. Change your password.
- If an entry in the list of compromised passwords is no longer relevant to you, you can ignore it by clicking Ignore.
Suhrid_Palsule I certainly like this feature, but have a couple of enhancements:
- In addition to being able to Ignore the "leaked password," please add the option to just delete it from my saved passwords. All of the passwords that have shown up in this list are old accounts that are no longer valid. Since I have hundreds of saved passwords, manually finding and deleting could be made much simpler by just letting the user delete them.
- Add the ability to see list of ignored password. I initially chose to ignore. When I went back to find them and manually delete them, I can find that list since I no longer get the warning that takes me to the list.
Thanks!
- Suhrid_PalsuleMicrosoft
Don Kirkham
These are valid points, Don. Both will be taken into consideration as the feature design evolves. Thank you!
- Dennis5mileSilver Contributor
Love how this is all falling into place. Love the setup/design..
Great Job all!
Dennis5mile
- Dennis5mileSilver Contributor
Suhrid_Palsule wrote:Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Turn on Password Monitor
To turn on Password Monitor:
- Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account.
- In your browser settings, go to Profiles > Passwords.
- Turn on the toggle next to “Show alerts when passwords are found in an online leak”. After the toggle is turned on, any unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.
.I'm not seeing that switch at all. This is all I have in Password;
Version 85.0.556.0 (Official build) canary (64-bit)
Dennis5mile
- Deleted
Dennis5mile You actually included the answer in your question. 🙂
@Dennis5mil wrote:
Suhrid_Palsule wrote:
Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Fawkes (they/them)
Project & Community Manager - Microsoft Edge- Dennis5mileSilver Contributorlol.. oops.. 🙃
Dennis5mile
- jjyb7Copper Contributor
设置\个人资料\密码\在联机泄漏中发现密码........
- Reza_Ameri-ArchivedBronze Contributor
Suhrid_Palsule does it check the actual password or hash of it?
I guess it is hash checking because checking the blank password is privacy concern.
It would be interesting to implement this for other user inputs like Credit Cards, National ID Number, ...
I have observed several stolen Credit Card number on Dark Web too.
- Suhrid_PalsuleMicrosoftYes, the latter. Advanced privacy-preserving methods are used to ensure that the actual username-password remains protected.
True - there are data-types other than login information available online. Those are presently beyond the scope of Password Monitor.- rshupakIron Contributor
Suhrid_Palsule I am months late in responding to this, so apologies. Why are the requests to https://edge.microsoft.com/passwordbreach/api/v1 authenticates with a bearer token associated with my account? Doesn't this increase the risk that the information could be associated with me personally?
Rich
- Gabe_SzaboCopper Contributor
Suhrid_Palsule Is the database very large, compressed? Wouldn't it be more secure to do the breach check "offline" on the Edge clients? Or you are doing the breach check online, where the synced passwords are stored?
- tusharshelar72541370Copper Contributorthank you
- desertcoderCopper Contributor
Suhrid_Palsule I have received alerts that passwords have been leaked for localhost. I don't have IIS, apache or any web server running locally. I recognize one of the usernames, but of course I cannot change any credentials for localhost. I've attached a screenshot from my profile settings. How were these leaked passwords for localhost detected? Thanks in advance.
- Suhrid_PalsuleMicrosoft
Hi desertcoder, thank you for your feedback. All username-password pairs stored in Microsoft Edge are automatically scanned to check if they've been leaked online in a previous breach. This includes localhost sites as well. For alerts that you might not want to act upon right now, you can move the same to the 'Ignored alerts' section.
- Didier_DanloyBrass Contributor
Suhrid_Palsule Great feature indeed. Looking forward to have this
- mgw000Copper Contributor
I have just, unintentionally, tried Password Monitor. It seems like a good feature. When I used it for the first time it told me that 2 of my passwords were unsafe. This caught my attention! It turns out that the two passwords were for 192.168.1.x. These are not used on any of my network machines but were presumably, from my having been on some other private network at some time.
My suggestion is that 192.168.x.x and 10.0.x.x be excluded from the scanning.
It is a good feature apart from giving me high blood pressure!
- Suhrid_PalsuleMicrosoft
Hi mgw000, glad you found the feature useful! Password Monitor scans and notifies the user of all compromised passwords, without exception. However, we hear you about excluding IP Addresses from the scan; many users unfortunately use weak passwords for networks, routers and such. To that end, there's an easy to use 'Ignore' button that moves such password entries into an ignore tray - from which point on, there will be no further action sought on them by the browser.
Let us know if this answers your question.- lwetzelBrass Contributor
When will the Password Monitor feature show up in the release version of Edge? I have a Chrome extension that this morning advised me that it will not work after today since it will be in Chrome. So when Will it be in Edge or do I have to go to the Dev release?