Jun 24 2020 10:52 AM - edited Jun 24 2020 11:01 AM
Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Each year, hundreds of millions of usernames and passwords are exposed online when websites or apps—for example, the kind we use to order products—become the target of data breaches.
These leaked username and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. When an account is taken over, its owner can be the target of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
Though people are regularly cautioned against reusing the same username and password combination for more than one online account, it’s a common practice. This leaves them vulnerable on multiple sites when breaches occur.
Password Monitor helps Microsoft Edge customers protect their online accounts by informing them if any of their passwords that have been compromised, so they can update them. Changing their passwords immediately is the best way to prevent their accounts from being hijacked.
How Password Monitor works
After you turn on Password Monitor, Microsoft Edge begins proactively checking the passwords you’ve saved in the browser against a large database of known breached credentials that are stored in the cloud. If any of your passwords match those in the database, they will be shown on the Password Monitor page in Settings > Profiles > Passwords > Password Monitor. Passwords listed there are no longer safe to use and need to be changed immediately.
When your credentials are checked against the database of known leaked credentials, powerful encryption helps prevent your information from being revealed to anyone. Information about which password has been compromised is only available to you.
Turn on Password Monitor
To turn on Password Monitor:
What to do if you discover your password is unsafe
Jun 24 2020 01:24 PM - edited Jun 24 2020 01:25 PM
@Suhrid_Palsule wrote:Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Turn on Password Monitor
To turn on Password Monitor:
- Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account.
- In your browser settings, go to Profiles > Passwords.
- Turn on the toggle next to “Show alerts when passwords are found in an online leak”. After the toggle is turned on, any unsafe passwords will be displayed on the Password Monitor page in your browser settings > Passwords.
.I'm not seeing that switch at all. This is all I have in Password;
Version 85.0.556.0 (Official build) canary (64-bit)
Dennis5mile
Jun 24 2020 03:23 PM
@Dennis5mile You actually included the answer in your question. 🙂
@Dennis5mil wrote:
@Suhrid_Palsule wrote:
Note: We are in the process of deploying this feature, so it may be a little while before you see it in your respective channel and build.
Fawkes (they/them)
Project & Community Manager - Microsoft Edge
Jun 24 2020 04:34 PM
Jun 24 2020 10:42 PM
设置\个人资料\密码\在联机泄漏中发现密码........
Jun 25 2020 04:42 AM - edited Jun 25 2020 04:48 AM
@Deleted
hhmmm,
Ok so this morning as I normally do when I open/start edge Can for the day, I check all my settings to see if anything has changed. I find that now I have this feature, however the "Suggest strong passwords" feature that I had and had it switched on, is there but it is now greyed out....
What happened?
Dennis5mile
Ok, hhhmm scratch everything above... As I was typing the reply above Can stopped responding and when it started responding again, this post got posted. I rechecked my settings and to my surprise, that setting that was greyed out, is now available and switched on....
Go figure... lol
Dennis5mile
Jun 25 2020 07:11 AM
@Dennis5mile It's possible that you may encounter temporary issues like this in the early preview of a feature. If you see the control toggle and text greyed out for a sustained period of time, check to confirm if you're signed-in. Password Monitor requires users to be signed-in to the browser.
Jun 25 2020 07:19 AM
@Suhrid_Palsule does it check the actual password or hash of it?
I guess it is hash checking because checking the blank password is privacy concern.
It would be interesting to implement this for other user inputs like Credit Cards, National ID Number, ...
I have observed several stolen Credit Card number on Dark Web too.
Jun 25 2020 07:47 AM
Jun 25 2020 09:38 AM
@Suhrid_Palsule Is the database very large, compressed? Wouldn't it be more secure to do the breach check "offline" on the Edge clients? Or you are doing the breach check online, where the synced passwords are stored?
Jun 26 2020 11:53 AM
@Suhrid_Palsule I have received alerts that passwords have been leaked for localhost. I don't have IIS, apache or any web server running locally. I recognize one of the usernames, but of course I cannot change any credentials for localhost. I've attached a screenshot from my profile settings. How were these leaked passwords for localhost detected? Thanks in advance.
Jun 27 2020 11:35 PM
Hi @desertcoder, thank you for your feedback. All username-password pairs stored in Microsoft Edge are automatically scanned to check if they've been leaked online in a previous breach. This includes localhost sites as well. For alerts that you might not want to act upon right now, you can move the same to the 'Ignored alerts' section.
Jul 04 2020 12:47 AM - edited Jul 04 2020 12:50 AM
@Suhrid_Palsule Great feature indeed. Looking forward to have this
Jul 29 2020 07:57 AM
@Suhrid_Palsule I certainly like this feature, but have a couple of enhancements:
Thanks!
Jul 31 2020 09:04 AM
Love how this is all falling into place. Love the setup/design..
Great Job all!
Dennis5mile
Aug 23 2020 09:04 PM
@Don Kirkham
These are valid points, Don. Both will be taken into consideration as the feature design evolves. Thank you!
Aug 27 2020 09:54 PM
I have just, unintentionally, tried Password Monitor. It seems like a good feature. When I used it for the first time it told me that 2 of my passwords were unsafe. This caught my attention! It turns out that the two passwords were for 192.168.1.x. These are not used on any of my network machines but were presumably, from my having been on some other private network at some time.
My suggestion is that 192.168.x.x and 10.0.x.x be excluded from the scanning.
It is a good feature apart from giving me high blood pressure!
Aug 27 2020 10:46 PM
Hi @mgw000, glad you found the feature useful! Password Monitor scans and notifies the user of all compromised passwords, without exception. However, we hear you about excluding IP Addresses from the scan; many users unfortunately use weak passwords for networks, routers and such. To that end, there's an easy to use 'Ignore' button that moves such password entries into an ignore tray - from which point on, there will be no further action sought on them by the browser.
Let us know if this answers your question.
Aug 31 2020 07:03 AM
When will the Password Monitor feature show up in the release version of Edge? I have a Chrome extension that this morning advised me that it will not work after today since it will be in Chrome. So when Will it be in Edge or do I have to go to the Dev release?