06-30-2020 11:25 AM - edited 06-30-2020 11:39 PM
06-30-2020 11:25 AM - edited 06-30-2020 11:39 PM
We’re delighted to announce that a preview of Password Monitor is now available in the Canary and Dev channels. Microsoft Edge Insiders can try it out on preview builds starting with version 84.0.506.0. Password Monitor is the latest feature we’re adding to the browser to help our customers protect their online privacy and security. Each year, hundreds of millions of personal credentials are exposed online in third-party data breaches and end up for sale on the online black market, often referred to as the Dark Web. Leaked usernames and passwords can be used to gain access to your online accounts via “credential stuffing” attacks. In these attacks, automated scripts are used to try different username and password combinations with the goal of hijacking accounts.
Though users are warned not to reuse the same pair of credentials for more than one account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.
While it’s impossible to prevent leaks from ever happening, you can now browse with more peace of mind, knowing Microsoft Edge has your back with Password Monitor, designed to help you keep your online accounts secure.
After you save your credentials to the browser, Microsoft Edge will begin proactively monitoring them for matches against credentials leaked to the Dark Web. Microsoft has been monitoring for leaked credentials for enterprise customers and their Azure Active Directory (AAD) accounts for years. Password Monitor now brings this service to all customers and accounts.
It checks the credentials you’ve saved in Microsoft Edge against an ever-growing database of usernames and passwords that are known to have been breached, collected by a network of researchers, law enforcement agencies, security teams at Microsoft and other trusted sources. The check is done using enterprise-grade encryption and privacy-preserving techniques. When a match has been found, the unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.
In this early preview, Password Monitor is turned off by default and a few steps are required to turn it on.
If you’re saving a new password to the browser, you’ll also have the opportunity to turn on the feature by selecting the check box in the Save password notification. Select the check box and then select 'Ok' to turn on Password Monitor for all credentials saved to Microsoft Edge.
If Password Monitor has detected a compromised password, a red badge will show up in the More menu during your browsing session. Selecting the icon in the More menu will show you the password leak notification. Selecting the notification will take you to the Password Monitor page under Settings > Profiles > Passwords. From there, Microsoft Edge will take you directly to the website of the compromised account so you can update your password. Be sure to save your new password to the browser so Password Monitor can continue to work on your behalf.
This is just the beginning for Password Monitor, and we’re excited to continue enhancing the feature. The preview experience today doesn’t include automatic notifications, but we expect to bring you notifications soon. Until then, after you turn on Password Monitor, make sure to check Settings > Profiles > Passwords for alerts about your credentials.
Turn on Password Monitor today and let us know what you think! As we gather feedback and continue to fine-tune the feature, we’ll be rolling it out to a broader audience.
Thank you for being part of our Insider community and trying this early preview.
07-01-2020 09:27 AM
Thank you for sharing @Suhrid_Palsule
This is amazing feature and I believe there are people who will just shocked about how many of their passwords have been leaked and I hope they changed it right away.
07-01-2020 04:01 PM - edited 07-01-2020 08:05 PM
@Suhrid_Palsule Are there additional steps to enable this? I'm not currently seeing it on Version 85.0.552.1 (Official build) dev (64-bit). Or is it geo-restricted?
[Edit - I see now there is a mention at the very bottom of the post that this feature is being rolled out, so I take it that it's not supposed to be available for all insiders right now.]
07-04-2020 06:31 AM
07-06-2020 03:52 PM
what happens when microsoft have a leak, ALL passwords are vulnerable?
"all eggs in one basket"
07-06-2020 11:05 PM
Not just Microsoft ... this same question has been posed to several other Password Managers (both browser built-in and dedicated applications) for many years now. It is also the subject of much research and there are several publications on this subject.
The short answer is that a user is much better-off using a Password Manager than not using one. Not using a password manager leads to poor password habits that increases risk for the user. And Password Manager applications employ extensive security protections and precautions to prevent such an event from occuring. You can read more about this subject, here: https://techcommunity.microsoft.com/t5/articles/autofill-blog-2-password-security/m-p/963847
07-07-2020 09:11 AM
@martmcd well, the monitor would notify you of that , plus the passwords would be hashed and salted to make it more tricky, if they stored your password.
If they don't store passwords, then they'll need to have the username and url to actually make it work as you cannot overwrite usernames in all sites as that would be a security issue. If that was the case on a webpage, the developers might as well allow code-injections like DROPTABLE because you could then just overwrite it and the account data would be gone for everyone.
The process could also be done locally (on the computer) too instead of the server although it would be, depending on your computer, slower.
07-07-2020 11:44 AM
07-13-2020 12:25 PM - edited 07-13-2020 01:13 PM
This feature is awesome!!
I think once you have the notifications sorted, then this will be a feature that will help millions of folk with managing their passwords, and keeping their privacy and information secure.
When the notifications are active. Will there be a pop up box that shows automatically when the browser opens, or do people have to click onto the icon in the top right corner where the ellipsis is?