Password Monitor is now available in Microsoft Edge preview builds

Microsoft

We’re delighted to announce that a preview of Password Monitor is now available in the Canary and Dev channels. Microsoft Edge Insiders can try it out on preview builds starting with version 84.0.506.0. Password Monitor is the latest feature we’re adding to the browser to help our customers protect their online privacy and security. Each year, hundreds of millions of personal credentials are exposed online in third-party data breaches and end up for sale on the online black market, often referred to as the Dark Web. Leaked usernames and passwords can be used to gain access to your online accounts via “credential stuffing” attacks. In these attacks, automated scripts are used to try different username and password combinations with the goal of hijacking accounts.

 

Though users are warned not to reuse the same pair of credentials for more than one account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.

While it’s impossible to prevent leaks from ever happening, you can now browse with more peace of mind, knowing Microsoft Edge has your back with Password Monitor, designed to help you keep your online accounts secure.

 

How Password Monitor works

After you save your credentials to the browser, Microsoft Edge will begin proactively monitoring them for matches against credentials leaked to the Dark Web. Microsoft has been monitoring for leaked credentials for enterprise customers and their Azure Active Directory (AAD) accounts for years. Password Monitor now brings this service to all customers and accounts.

 

It checks the credentials you’ve saved in Microsoft Edge against an ever-growing database of usernames and passwords that are known to have been breached, collected by a network of researchers, law enforcement agencies, security teams at Microsoft and other trusted sources. The check is done using enterprise-grade encryption and privacy-preserving techniques. When a match has been found, the unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.

 

Turn on Password Monitor

In this early preview, Password Monitor is turned off by default and a few steps are required to turn it on.

  1. Make sure you’re signed-in to Microsoft Edge using your Microsoft account or your work or school account.
  2. Go to Settings > Profiles> Passwords (or go to edge://settings/passwords) and turn on the toggle next to Show alerts when passwords are found in an online leak

Suhrid_Palsule_0-1593540590834.png

 

If you’re saving a new password to the browser, you’ll also have the opportunity to turn on the feature by selecting the check box in the Save password notification. Select the check box and then select 'Ok' to turn on Password Monitor for all credentials saved to Microsoft Edge.  

 

Suhrid_Palsule_1-1593540590840.png

 

If Password Monitor has detected a compromised password, a red badge will show up in the More menu during your browsing session. Selecting the icon in the More menu will show you the password leak notification. Selecting the notification will take you to the Password Monitor page under Settings > Profiles > Passwords. From there, Microsoft Edge will take you directly to the website of the compromised account so you can update your password. Be sure to save your new password to the browser so Password Monitor can continue to work on your behalf.

 

Suhrid_Palsule_3-1593540590853.png

 
 
 
 

passmon.jpg

 

This is just the beginning for Password Monitor, and we’re excited to continue enhancing the feature. The preview experience today doesn’t include automatic notifications, but we expect to bring you notifications soon. Until then, after you turn on Password Monitor, make sure to check Settings > Profiles > Passwords for alerts about your credentials.

Turn on Password Monitor today and let us know what you think! As we gather feedback and continue to fine-tune the feature, we’ll be rolling it out to a broader audience.

Thank you for being part of our Insider community and trying this early preview.

25 Replies
Thank you again for this Great Feature!!

Dennis5mile

Thank you for sharing @Suhrid_Palsule 

This is amazing feature and I believe there are people who will just shocked about how many of their passwords have been leaked and I hope they changed it right away.

@Suhrid_Palsule Are there additional steps to enable this? I'm not currently seeing it on Version 85.0.552.1 (Official build) dev (64-bit). Or is it geo-restricted?

 

[Edit - I see now there is a mention at the very bottom of the post that this feature is being rolled out, so I take it that it's not supposed to be available for all insiders right now.]

Bonjour,

Merci pour cette excellente nouvelle ! Je pourrais enfin me débarrasser de mon gestionnaire de mot de passe tiers.

@Suhrid_Palsule 

what happens when microsoft have a leak, ALL passwords are vulnerable?

"all eggs in one basket"

Hi @martmcd

Not just Microsoft ... this same question has been posed to several other Password Managers (both browser built-in and dedicated applications) for many years now. It is also the subject of much research and there are several publications on this subject. 

The short answer is that a user is much better-off using a Password Manager than not using one. Not using a password manager leads to poor password habits that increases risk for the user. And Password Manager applications employ extensive security protections and precautions to prevent such an event from occuring. You can read more about this subject, here: https://techcommunity.microsoft.com/t5/articles/autofill-blog-2-password-security/m-p/963847

Bonjour @Suhrid_Palsule 

 

Je vous remercie pour ses précisions.

@martmcd well, the monitor would notify you of that :xd:, plus the passwords would be hashed and salted to make it more tricky, if they stored your password.

 

If they don't store passwords, then they'll need to have the username and url to actually make it work as you cannot overwrite usernames in all sites as that would be a security issue. If that was the case on a webpage, the developers might as well allow code-injections like DROPTABLE because you could then just overwrite it and the account data would be gone for everyone.

 

The process could also be done locally (on the computer) too instead of the server although it would be, depending on your computer, slower.

Bonsoir,

Pour ma part, j'attends du gestionnaire de mots de passe trois choses principales :
- l'efficacité d'utilisation (notamment concernant le remplissage de formulaires),
- la simplicité d'utilisation (afin que Microsoft Edge soit accessible au plus grand nombre),
- la sécurité (même si j'ai conscience que c'est un challenge difficile à relever).

L'avantage d'un gestionnaire de mots de passe intégré à Microsoft Edge (Chromium) c'est l'assurance d'un fonctionnement garanti.

@Suhrid_Palsule 

 

This feature is awesome!!

 

I think once you have the notifications sorted, then this will be a feature that will help millions of folk with managing their passwords, and keeping their privacy and information secure. 

 

When the notifications are active. Will there be a pop up box that shows automatically when the browser opens, or do people have to click onto the icon in the top right corner where the ellipsis is?

 

Nathan, 

we worry about hacker protection issue is very important.

Hi @Nathan_Roberts-SN, the notification will show up automatically.

Password Monitor is built as an in-built notification system that lets Microsoft Edge users know which of their passwords have been exposed in a 3rd party data leak by hackers.

If you're referring to this information (of which passwords are compromised) being kept safe from hackers, then for that there are several measures in place to make the storage and transfer of this information more secure using advanced hashing and encryption methods.

@Suhrid_Palsule 

 

This feature works great in the Dev and Canary build. When will this be pushed towards the PROD builds ? We are looking to implement this feature for our endusers. We have just upgraded to Edge Chromium 87.0.664.41 (64bit)

@NielsZegers Yes, we are working towards the same and hope to bring it to Stable channel soon 🙂

We will update here once the date is near. Thanks for your patience!

@martmcd I have a question; once monitor finds password intrusion, how do we know which one ? or are we to change them all? please help !

 

@Deeddowdney from what has been said here, i understand you will get a notification that will tell you which one.

perhaps @Suhrid_Palsule  can confirm, or provide the answer to your question