Note: We are in the process gradually rolling out this feature, so it may take a while before you see it in your respective channel and build.
Each year, hundreds of millions of usernames and passwords are exposed online when websites or apps become the target of data leaks.
Leaked usernames and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. If one of your accounts is taken over, you can be the victim of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
Although people are regularly cautioned against reusing the same username and password combination for more than one online account, it’s a common practice, which leaves them vulnerable on multiple sites when even one passwords gets leaked.
Password Monitor helps you protect your online accounts in Microsoft Edge by informing you when any of your passwords have been compromised, so you can update them. Changing passwords immediately is the best way to prevent your account from being hijacked.
How Password Monitor works
When you turn on Password Monitor, Microsoft Edge checks the passwords you’ve saved in the browser against a large database of known leaked passwords that are stored in the cloud. If any of your username-password pairs match those in the database, they'll appear on the Password Monitor page in Microsoft Edge Settings. Any passwords listed there are no longer safe to use and you should change them immediately.
In addition to the details available on the Password Monitor page, you may also see one or more of the notifications below informing you that you have unsafe passwords that need to be updated:
Summary notification When you turn on Password Monitor for the first time, all your passwords will be checked to see if any of them have been compromised. If any of your passwords match those in the list of known leaked passwords, a notification appears:
This notification appears only once each time a new password is found to be unsafe. When you see the notification, you have two options: Click View details to see more details or Not now to dismiss this notification.
Settings and more menu alert If you dismiss the summary notification, a small badge will continue to be visible in the Settings and more menu.
If you select Settings and more when the badge is visible, Microsoft Edge will display an alert telling you the number of passwords that are compromised. Selecting this alert will direct you to the Password Monitor page.
Website notification Besides the notifications mentioned above, you may also see an alert when you visit a website whose saved password is known to be unsafe.
The alert won't appear for passwords that are included in the Ignore list. To stop seeing an alert, simply move that password entry to the Ignore list in the Password Monitor page.
Scan Now In addition to an automated scan when the feature is turned on, you can now also check the security of your passwords anytime by using Scan now. You'll find this option on the Password Monitor page.
To check your passwords anytime, select Scan now. The scan completes in seconds and you can learn about which of your passwords are unsafe and stay protected.
Security & privacy
The security and privacy of your data is at the very heart of the design of Password Monitor. We have made this goal our utmost and uncompromising priority.
When Password Monitor checks your credentials against the database of known leaked credentials, powerful encryption helps protect your information from being revealed to anyone. Only you know which of your saved passwords are compromised—not even Microsoft knows this.
Turn on password monitor
Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account.
Go to Settings and more > Settings > Profiles > Passwords.
Turn on Show alerts when passwords are found in an online leak. Any unsafe passwords will be displayed on the Password Monitor page.
If you're signed in and syncing your passwords, Password Monitor will be automatically enabled in your browsers. You'll also see a message informing you of it.
You can go to Settings and more > Profiles > Passwords and turn off Password Monitor anytime.
You may also see a different message asking you if you want to turn on Password Monitor. Select Yes to enable the feature, which will then will check whether any of your passwords have been leaked. If you want to decide later, users can always go to Settings and more > Passwords and turn off Password Monitor anytime.
Responding to notifications
If you learn that a password is no longer safe,
Go to Settings and more > Settings > Profiles > Passwords > Password Monitor.
You'll find all your unsafe passwords listed here. Any passwords listed here were found to match those in the database of compromised passwords and are no longer safe to use and you should update them immediately.
For each account password listed on the page, do one of the following:
To change the password, select Change. You’ll be taken to the respective website where you must update your password.
If an entry in the list of compromised passwords is no longer relevant to you, select Ignore. Password Monitor adds the passwords to a list of ignored alerts.
If you've ignored an alert, you can restore from the Ignored alerts list by selecting Restore.
We’ve also taken measures to make the task of updating passwords a little easier. Password Monitor now integrates the well-known URL web standard. This means that for select websites (such as Github, Twitter, and Wordpress), selecting the Change button will take you directly to the respective change password pages of those websites.
This feature saves you the time you'd otherwise need to take to navigate to where you can change your password for that website.
Tip: There's no special indication for a website that supports the URL web standard; the Change button looks the same regardless.
I see known old or weak passwords listed as unsafe; I know this already.
No matter how strong or new, any username and password combination that matches one in the list will be flagged as compromised. For this reason, local IP addresses or passwords for routers or local websites may also be included.
This is where the Ignore button comes in handy; it's intended to help quickly dismiss any compromised passwords that are no longer relevant to you.
Are passwords stored in Microsoft Edge safe?
Data leaks of third-party websites and apps cause user data (including, but not limited to, usernames and passwords) to become public. These passwords are not the same as your passwords stored in Microsoft Edge.
Microsoft Edge only checks the passwords saved in the browser against the known list of compromised credentials and alerts you if your accounts are at risk.
Flagging some of the stored passwords in the list as compromised in no way implies that the passwords stored in Microsoft Edge were exposed in any way. It's just an indication that these passwords are now in the public domain as a result of third-party data leaks and are no longer safe to use.
Passwords stored in the browser are now more secure because Password Monitor warns you of your unsafe passwords so you can change them.