Note: We are in the process of gradually rolling out this feature, so it may take a while before you see it in your respective channel and build.
Each year, hundreds of millions of usernames and passwords are exposed online when websites or apps become the target of data leaks.
Leaked usernames and passwords often end up for sale on the online black market, commonly referred to as the Dark Web. Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. If one of your accounts is breached, you can be the victim of fraudulent transactions, identity theft, illegal fund transfers, or other illegal activities.
Although people are regularly cautioned against reusing the same username and password combination for more than one online account, it’s a common practice, which leaves them vulnerable on multiple sites if even one of their passwords gets leaked.
Password Monitor helps protect your online accounts in Microsoft Edge by informing you when any of your passwords have been compromised, so you can update them. Changing passwords immediately is the best way to prevent your account from being hijacked.
How Password Monitor works
When you turn on Password Monitor for the first time, Microsoft Edge checks the passwords you’ve saved in the browser against a large database of known leaked passwords that are stored in the cloud. If any of your username-password pairs match those in the database, they'll appear on the Password Monitor page in Microsoft Edge Settings. Any passwords listed there are no longer safe to use and you should change them immediately.
Note: All your username-passwords will be automatically scanned the first time this capability is enabled. After that, every username-password combination will be checked each time it is used (meaning saved or auto-filled). To scan all your passwords again, click on the Scan now button in the Password Monitor page.
In addition to the details available on the Password Monitor page, you may also see one or more of the notifications below informing you that you have unsafe passwords that need to be updated:
Summary notification When you turn on Password Monitor for the first time, all your saved passwords will be scanned to see if any of them have been compromised. If any of your passwords match those in the list of known leaked passwords, a notification appears:
This notification appears only once each time a new password is found to be unsafe. When you see the notification, you have two options—you can select View details to see more details or you can select Not now to dismiss this notification.
Settings and more menu alert If you dismiss the summary notification, a small badge will continue to be visible in the Settings and more menu.
If you select Settings and more when the badge is visible, Microsoft Edge will display an alert telling you the number of passwords that are compromised. Selecting this alert will direct you to the Password Monitor settings page.
Website notification Besides the notifications mentioned above, you may also see an alert when you visit a website that has a saved password which is known to be unsafe.
The alert won't appear for passwords that are included in the Ignore list. To stop seeing an alert, simply move that password entry to the Ignore list in the Password Monitor settings page.
Scan Now In addition to an automated scan when the feature is turned on, you can now also check the security of your passwords anytime by using Scan now. You'll find this option on the Password Monitor settings page.
To check your passwords anytime, select Scan now. The scan completes in seconds and you can learn about which of your passwords are unsafe and need to be updated immediately to stay protected.
Security & privacy
The security and privacy of your data is at the very heart of the design of Password Monitor. We have made this goal our ultimate and uncompromising priority.
When Password Monitor checks your credentials against the database of known leaked credentials, powerful encryption helps protect your information from being revealed to anyone. Only you know which of your saved passwords are compromised—not even Microsoft knows this.
To turn on password monitor
Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account.
Go to Settings and more > Settings > Profiles > Passwords.
Turn on Show alerts when passwords are found in an online leak. You may need to expand More settings to see the option.
Any unsafe passwords will be displayed on the Password Monitor settings page.
If you're signed in and syncing your passwords, Password Monitor will be automatically on for your browser. You'll also see a message informing you of it. You can go to Settings and more > Profiles > Passwords and turn off Password Monitor anytime.
You may also see a different message asking you if you want to turn on Password Monitor. Select Yes to turn the feature on, which will then check whether any of your passwords have been leaked. If you want to decide later, you can always go to Settings and more > Passwords and turn off Password Monitor anytime.
Responding to notifications
If you learn that a password is no longer safe, you can choose how to respond.
Go to Settings and more > Settings > Profiles > Passwords > Password Monitor.
You'll find all your unsafe passwords listed here. Any passwords listed here were found to match those in the database of compromised passwords and are no longer safe to use—you should update them immediately.
For each account password listed on the page, do one of the following:
To change the password, select Change. You’ll be taken to the respective website where you must update your password.
If an entry in the list of compromised passwords is no longer relevant to you, select Ignore. Password Monitor adds the passwords to a list of ignored alerts.
If you've ignored an alert, you can restore it from the Ignored alerts list by selecting Restore.
We’ve also taken measures to make the task of updating passwords a little easier. Password Monitor now integrates the well-known URL web standard. This means that for select websites (such as Github, Twitter, and Wordpress), selecting the Change button will take you directly to the respective change password pages of those websites.
This feature saves you time you'd otherwise need to spend navigating to where you can change your password for that website.
Tip: There's no special indication for a website that supports the URL web standard; the Change button looks the same regardless.
I see known old or weak passwords listed as unsafe; I know this already.
No matter how strong or new, any username and password combination that matches one in the list will be flagged as compromised. For this reason, local IP addresses or passwords for routers or local websites may also be included.
This is where the Ignore button comes in handy; it's intended to help quickly dismiss any compromised passwords that are no longer relevant to you.
Are passwords stored in Microsoft Edge safe?
Data leaks of third-party websites and apps cause user data (including, but not limited to, usernames and passwords) to become public. These passwords are not the same as your passwords stored in Microsoft Edge.
Microsoft Edge only checks the passwords saved in the browser against the known list of compromised credentials and alerts you if your accounts are at risk.
Flagging some of the stored passwords in the list as compromised in no way implies that the passwords stored in Microsoft Edge were exposed in any way. It's just an indication that these passwords are now in the public domain as a result of third-party data leaks and are no longer safe to use.
Passwords stored in the browser are now more secure because Password Monitor warns you of your unsafe passwords so you can change them.
Why are passwords leaking out? Is Microsoft Edge not protecting them?
A leaked password alert is shown when one or more passwords match those found in a list of stolen credentials.
Such lists surface on the internet from time to time. They’re published because an app or website was breached somewhere on the web. It’s important to note that these leaks have nothing to do specifically with Microsoft Edge or any other Microsoft apps. Your passwords were not leaked from Microsoft Edge; the list of credentials came from some other app or website.
Also, the moment when you're shown this alert is usually not the same as the instance when the credentials were first leaked online. The actual leak could have happened anytime, from just a few days previous to several years ago. Regardless, it still means that the passwords you're being warned about are compromised and are no longer safe to use.
How can I trust you with my passwords if you keep sending me alerts that they’re leaked?
Microsoft Edge is not responsible for leaking your credentials online; these were compromised when another app or website was breached. Password Monitor in Microsoft Edge scans your saved passwords against a database of known leaked credentials and informs you when your passwords have been compromised.
All your passwords are scanned automatically the first time you enable this feature. Thereafter, any password you use, save or update is scanned automatically. Of course, you can run a scan yourself anytime for all your saved passwords by going to edge://settings/passwords.
Did I do something wrong that caused this?
No—for most users, they didn’t take a specific action that caused their passwords to appear in an online leak. Bad actors steal information from apps and websites, not from a user’s device.
Are browser-generated passwords more prone to getting leaked?
Browser-generated passwords are not more prone to being compromised. If anything, the fact that you've chosen a completely random set of characters as your password (as opposed to, say, reusing an existing password) makes them relatively more secure than other passwords you could use.
When were my passwords leaked?
The password leak that you're being warned about could have happened anytime—from a few days to a few years ago! Whenever the leak occurred, once a password is made public, it’s no longer safe to use.
How do I know whether to take action or not? Please add some context and share details about these data leaks.
Any saved passwords flagged as compromised are now public information and should not be used. Please consider changing these passwords, especially if you’re using them for sensitive accounts such as your email or bank. Because Microsoft only stores the list of leaked passwords, we can’t share the time and source of these leaks. However, this information is not as important as the bottom-line—that these password pairs are no longer safe to use and should be changed as soon as possible.
Can you share logs with me to explain how this has happened despite using VPN and antivirus software?
Your password being exposed in an online list is not related to the security of your current device. Using an antivirus or other security software (such as VPN) has no bearing on your passwords being compromised, as passwords are not stolen directly from your device or the browser but rather from the servers of another app or website.
How worried should I be that I received a report saying 12 passwords leaked, but it doesn't say when—so I have no idea which ones and what action I need to take?
Any password that is flagged as unsafe should be changed as soon as possible, especially for websites that you use that contain sensitive personal information that you want to protect, such as your email or bank account.
I keep getting messages about leaks, even after deleting accounts or about accounts that I don't care about.
The frequency of the alerts has been updated, along with adding more options to turn off alerts that you no longer wish to see, giving you more control. You can now turn off the in-website alert or select Ignore for passwords that are no longer relevant to you.
What if I don’t do anything about my compromised passwords?
Hackers use automated scripts to try different stolen username and password combinations to hijack people’s accounts. If one of your accounts is taken over, you can be the victim of fraudulent transactions, identity theft, unauthorized transfers of money, or other illegal activities.
Not updating your leaked password exposes you to the above risks. We recommend changing your compromised passwords as soon as possible.
I’m concerned about autofill entering credentials on a phishing website.
You can choose to use the 'primary password' capability to require authentication before autofill. This way, autofill will only work when you authorize it. To find more details, go to Additional privacy for your saved passwords.
Why is it enabled for me? I don't want to use it.
For some users, this capability is turned on automatically (you can find more details about Password Monitor being auto-enabled). In general, Password Monitor is a capability that all users should have enabled, as it helps prevent attackers from accessing your personal info. However, if you want to turn it off, it’s easy to do so by going to edge://settings/passwords.