Every year, hundreds of millions of usernames and passwords are exposed online when websites or applications become the destination of data loss.
Leaked usernames and passwords often end up for sale on the online black market, generally known as The Dark Web. Hackers use automated scripts to test different stolen username and password combinations to hack into people’s accounts. If one of your accounts is stolen, you may be a victim of fraudulent transactions, identity theft, illegal fund transfers or other illegal activities.
Although users are advised to revert to using the same username and password combination for more than one online account, it is a common practice, leaving them vulnerable on multiple sites when even one password is lost.
Password Monitor helps you protect your online accounts in Microsoft Edge by informing you if any of your passwords are compromised, so you can update them. Changing passwords immediately is the best way to prevent your account from being hacked.
How the password monitor works
When Password Monitor is enabled, Microsoft Edge checks passwords stored in the browser against a large database of leaked known passwords stored in the cloud. If any of your username and password pairs match those in the database, they will appear on the Password Monitor page in Microsoft Edge settings. The passwords listed there are no longer safe to use and you should change them immediately.
In addition to the details available on the Password Monitor page, you may also see one or more of the notifications below to inform you that you have unsecured passwords that need to be updated:
- Summary Notification When you activate the Password Monitor for the first time, all passwords will be checked to see if any of them are compromised. If any of your passwords match those in the list of known leaked passwords, a notification appears:
This notification appears only once each time a new password is found to be unsafe. When you see the notification, you have two options: click View details to see more details or Now do not dismiss this notification. - If you dismiss the summary notification, a small badge will still be visible in the Settings & More menu.
If you select Settings and more when the badge is visible, Microsoft Edge will display an alert telling you the number of passwords that are compromised. By selecting this alert, you will be directed to the Password Monitor page. - Website Notification In addition to the notifications mentioned above, you may also see an alert when you visit a website whose saved password is known to be unsafe.
The alert will not appear for passwords that are included in the Ignore list. To stop seeing an alert, simply move that password entry to the Ignore list on the Password Monitor page. - Scan Now In addition to performing an automated scan when the feature is enabled, you can now also check the security of your passwords at any time using Scan Now. You will find this option on the Password Monitor page.
To check passwords at any time, select Scan Now. The analysis will be completed in a matter of seconds and you will be able to find out which passwords are not secure and stay protected.
Security and privacy
Security and privacy of your data are at the core of the Password Monitor design. We have made this objective our top priority without compromise.
When the Password Monitor checks credentials against the database of known leaked credentials, strong encryption helps protect the information from being revealed to anyone. Only you know which of your saved passwords are compromised, not even Microsoft knows.
Activate the password monitor
- Make sure you are signed in to Microsoft Edge with your Microsoft account or your work or school account.
- Go to Settings and more > Settings > profiles and> passwords.
- Enable Show alerts when passwords are found in an online loss. Unsecured passwords will be displayed on the Password Monitor page.
Enable automatically
If you have logged in and synchronized passwords, the Password Monitor will be automatically enabled in the browsers. You will also see a message informing you of this.
You can go to Settings and more > profiles> passwords and disable the Password Monitor at any time.
You may also see a different message asking if you want to activate the Password Monitor. Select Yes to enable the feature, which will check if any of your passwords have been leaked. If they wish to decide later, users can always go to Settings and more > passwords and disable the Password Monitor at any time.
Respond to notifications
If you learn that a password is no longer secure,
- Go to Configuration and more > Configuration > profiles> passwords > password monitor .
- Here you will find all unsecured passwords. The passwords listed here were found to match those in the compromised password database and are no longer safe to use and you should update them immediately.
- For each account password listed on the page, perform one of the following actions:
- To change your password, select Change. You will be taken to the appropriate website, where you must update your password.
- If an entry in the compromised password list is no longer relevant to you, select Ignore. The Password Monitor adds the passwords to a list of ignored alerts.
If you have missed an alert, you can restore it from the list of ignored alerts by selecting Restore.
We have also taken steps to make it a little easier to update passwords. The Password Monitor now integrates the well-known web standard DE URL. This means that, for selected websites (such as Github, Twitter and WordPress), selecting the Change button will take you directly to the corresponding change password pages of those websites.
This feature saves you the time you would otherwise have to go to where you can change the password for that website.
Hint: There is no special indication that a website supports the web URL standard; the Change button looks the same regardless.
Frequently Asked Questions
I see that old or unsecured passwords are shown as unsecured; I know.
Regardless of security or novelty, any username/password combination that matches one on the list will be marked as compromised. For this reason, local IP addresses or passwords of local routers or websites can also be included.
This is where the Ignore button comes in handy ; it is intended to help you quickly discard compromised passwords that are no longer relevant to you.
Are passwords stored in Microsoft Edge secure?
Loss of data from third-party applications and websites causes user data (including, but not limited to, usernames and passwords) to become public. These passwords are not the same as those stored in Microsoft Edge.
Microsoft Edge only checks passwords stored in the browser against the known list of compromised credentials and alerts you if your accounts are at risk.
Marking some of the passwords stored in the list as compromised in no way implies that passwords stored in Microsoft Edge are exposed in any way. It is just an indication that these passwords are now in the public domain as a result of third party data loss and are no longer safe to use.
Passwords stored in the browser are now more secure, as the Password Monitor alerts you to unsecured passwords so you can change them.