Use Password Monitor to help protect your passwords online

Microsoft

Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.

 

Each year, hundreds of millions of usernames and passwords are exposed online when websites or appsfor example, the kind we use to order products—become the target of data breaches. 


These leaked username and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. When an account is taken over, its owner can be the target of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
 


Though people are regularly 
cautioned against reusing the same username and password combination for more than one online account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.  


Password Monitor helps Microsoft Edge customers protect their online accounts by informing them if any of their passwords that have been compromised, so they can update them. Changing their passwords immediately is the best way to prevent their accounts from being hijacked. 
 

 

How Password Monitor works 

After you turn on Password Monitor, Microsoft Edge begins proactively checking the passwords you’ve saved in the browser against a large database of known breached credentials that are stored in the cloudIf any of your passwords match those in the database, they will be shown on the Password Monitor page in Settings > Profiles Passwords Password Monitor. Passwords listed there are no longer safe to use and need to be changed immediately.  


When your credentials are checked against the database of known leaked credentials, powerful encryption helps prevent your information from being revealed to anyone.
 Information about which password has been compromised is only available to you.   

 

Turn on Password Monitor  

To turn on Password Monitor:  

  1. Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account. 
  2. In your browser settings, go to Profiles Passwords. 
  3. Turn on the toggle next to “Show alerts when passwords are found in an online leak”. After the toggle is turned on, any unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords. 

 

What to do if you discover your password is unsafe  

  1. Go to Settings > ProfilesPasswords Password Monitor. 
  2. For each account where your password is shown to be unsafe, select the Change Password button. You’ll be taken to the relevant website. Change your password. 
  3. If an entry in the list of compromised passwords is no longer relevant to you, you can ignore it by clicking Ignore. 
35 Replies

@Suhrid_Palsule 

 


@Suhrid_Palsule wrote:

Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.

 

 

Turn on Password Monitor  

To turn on Password Monitor:  

  1. Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account. 
  2. In your browser settings, go to Profiles Passwords. 
  3. Turn on the toggle next to “Show alerts when passwords are found in an online leak”. After the toggle is turned on, any unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords. 

 

.I'm not seeing that switch at all.  This is all I have in Password;

Annotation 2020-06-24 161957.jpg

Version 85.0.556.0 (Official build) canary (64-bit)

 

Dennis5mile

@Dennis5mile You actually included the answer in your question. :) 

 

@Dennis5mil wrote:

@Suhrid_Palsule wrote:

Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.

 

Fawkes (they/them)
Project & Community Manager - Microsoft Edge

lol.. oops.. :upside_down_face:

Dennis5mile

设置\个人资料\密码\在联机泄漏中发现密码........

@Deleted 

 

hhmmm,   

Ok so this morning as I normally do when I open/start edge Can for the day, I check all my settings to see if anything has changed.  I find that now I have this feature, however the "Suggest strong passwords" feature that I had and had it switched on, is there but it is now greyed out....  

Annotation 2020-06-25 073435.jpg

What happened?

 

Dennis5mile

 

Ok, hhhmm scratch everything above...  As I was typing the reply above Can stopped responding and when it started responding again, this post got posted.  I rechecked my settings and to my surprise, that setting that was greyed out, is now available and switched on....

Annotation 2020-06-25 074517.jpg

 

Go figure... lol

 

Dennis5mile

 

@Dennis5mile It's possible that you may encounter temporary issues like this in the early preview of a feature. If you see the control toggle and text greyed out for a sustained period of time, check to confirm if you're signed-in. Password Monitor requires users to be signed-in to the browser. 

@Suhrid_Palsule does it check the actual password or hash of it?

I guess it is hash checking because checking the blank password is privacy concern.

It would be interesting to implement this for other user inputs like Credit Cards, National ID Number, ...

I have observed several stolen Credit Card number on Dark Web too.

Yes, the latter. Advanced privacy-preserving methods are used to ensure that the actual username-password remains protected.

True - there are data-types other than login information available online. Those are presently beyond the scope of Password Monitor.

@Suhrid_Palsule Is the database very large, compressed? Wouldn't it be more secure to do the breach check "offline" on the Edge clients? Or you are doing the breach check online, where the synced passwords are stored?

@Suhrid_Palsule I have received alerts that passwords have been leaked for localhost. I don't have IIS, apache or any web server running locally.  I recognize one of the usernames, but of course I cannot change any credentials for localhost. I've attached a screenshot from my profile settings. How were these leaked passwords for localhost detected? Thanks in advance.

Hi @desertcoder, thank you for your feedback. All username-password pairs stored in Microsoft Edge are automatically scanned to check if they've been leaked online in a previous breach. This includes localhost sites as well. For alerts that you might not want to act upon right now, you can move the same to the 'Ignored alerts' section. 

@Suhrid_Palsule Great feature indeed. Looking forward to have this

@Suhrid_Palsule I certainly like this feature, but have a couple of enhancements:

  1. In addition to being able to Ignore the "leaked password," please add the option to just delete it from my saved passwords. All of the passwords that have shown up in this list are old accounts that are no longer valid. Since I have hundreds of saved passwords, manually finding and deleting could be made much simpler by just letting the user delete them.
  2. Add the ability to see list of ignored password. I initially chose to ignore. When I went back to find them and manually delete them, I can find that list since I no longer get the warning that takes me to the list.

Thanks!

@Suhrid_Palsule 

 

Love how this is all falling into place.  Love the setup/design.. 

 

Annotation 2020-07-31 114747.jpg

Annotation 2020-07-31 114843.jpg

Great Job all!

Dennis5mile

@Don Kirkham 

These are valid points, Don. Both will be taken into consideration as the feature design evolves. Thank you!

@Suhrid_Palsule 

I have just, unintentionally, tried Password Monitor. It seems like a good feature. When I used it for the first time it told me that 2 of my passwords were unsafe. This caught my attention! It turns out that the two passwords were for 192.168.1.x. These are not used on any of my network machines but were presumably, from my having been on some other private network at some time.

My suggestion is that 192.168.x.x and 10.0.x.x be excluded from the scanning.

It is a good feature apart from giving me high blood pressure!

Hi @mgw000, glad you found the feature useful! Password Monitor scans and notifies the user of all compromised passwords, without exception. However, we hear you about excluding IP Addresses from the scan; many users unfortunately use weak passwords for networks, routers and such. To that end, there's an easy to use 'Ignore' button that moves such password entries into an ignore tray - from which point on, there will be no further action sought on them by the browser. 

Let us know if this answers your question. 

@Suhrid_Palsule 

 

When will the Password Monitor feature show up in the release version of Edge?  I have a Chrome extension that this morning advised me that it will not work after today since it will be in Chrome.  So when Will it be in Edge or do I have to go to the Dev release?