Browser extensions like PassProtect warn you if the password you’re using to log into a site is known to have been compromised and listed in a data breach, often based on the excellent Have I Been Pwned service. Chrome and Firefox have introduced password breach notification inside the browser and when macOS Big Sur comes out, Safari will notify users if a password saved in their iCloud Keychain is compromised.
Password breach notification is one of the many Google services that Microsoft stripped out of the open-source Chromium code and replaced with its own version, which will ship in Edge 85 (the next stable version) on both Windows and macOS. Password Monitor, as it’s called, will pop up a notification if any of the username and passwords that you’ve let Edge save appear in a data breach, with a link to go to the site and change your credentials.
SEE: Security Awareness and Training policy (TechRepublic Premium)
There will also be a dashboard in the Password section of Settings (Settings / Passwords / Password Monitor or edge://settings/passwords/passwordMonitor) that will show you any leaked passwords that you haven’t yet dealt with, and any previous alerts that you’ve ignored in case you want to deal with them later. If you’re using the Canary or Dev branches of Edge, you might see the dashboard already, or you might just get a placeholder because the feature is still being rolled out to users, but Password Monitor won’t start scanning your passwordsc for breach notifications until you give Edge permission to do that.
Admins can manage the Password Monitor feature through group policy or registry settings (PasswordMonitorAllowed and SOFTWAREPoliciesMicrosoftEdgeRecommendedPasswordMonitorAllowed). Disable the policy and users won’t be asked for permission to enable the feature and password won’t get scanned; but even if you enable the policy they can still turn the feature off, so you may want to offer training so staff are comfortable that the scanning isn’t a risk to their privacy.
Finding leaked credentials
Like Google, Microsoft’s security team collects its own details about exposed credentials, from similar sources to Have I Been Pwned (with researchers tracking leaks that show up on the so-called ‘dark web’ of hacker forums and sharing sites), but also from attempted attacks on its own services. Office 365, Xbox Live and Outlook are among the first services that attackers try out leaked usernames and passwords on, because so many people reuse the same password on different sites; Microsoft calls this a ‘data breach replay attack’ and it detected 4.6 billion attempts to use passwords lost in data breaches to log into Microsoft services in just one month (May 2018).
As of 2018, Microsoft was analysing 18 billion login attempts for 800 million accounts a day. About 300 million of those attempts were from hackers. Given that 3,800 data breaches exposed over 4 billion records in the first half of 2019, there are plenty of genuine passwords to try.
If a password for a different site that you’ve saved in Edge is being used to try and log into one of the Microsoft services you use (either because it’s a common password that attackers are trying out or because you used it for a different site that suffered a password breach), Password Monitor can alert you even if security researchers don’t already have a dump of the passwords from a data breach. Microsoft, Google and other large online services like Facebook (and national cyber security services around the world who confiscate computers from suspects) also share information about leaked credentials and compromised accounts.
Those compromised password lists aren’t used to create the list of banned passwords that Microsoft will stop you using to sign up for a Microsoft service because they’re easy to guess; that’s created by looking at what passwords are used to attack accounts and applying normalisation rules that spot common substitutions like ‘0’ for ‘o’. But enterprises can already use both the banned password list and credential leak protection, along with their own list of banned passwords, to protect passwords used in their own environment — including Active Directory — by using Azure AD Password Protection (which is included in an Azure AD P2 or Microsoft 365 E5 licence).
The identity protection feature in AAD Password Protection uses the same leaked credential information that Edge Password Monitor relies on, as well as looking at patterns in logins (whether users are coming from unusual devices and IP addresses, for example, or if they’re trying to log in from a different country when they wouldn’t have had time to travel there). Edge doesn’t look at details of your connection like that, and getting notifications about compromised credentials doesn’t mean you shouldn’t use a password manager that creates complex passwords that are harder for attackers to guess. But putting the warnings right in the browser where you can quickly go and change a leaked password is important because leaked passwords are used by attackers within minutes of becoming available, rather than hours or days later, which is why these notification services are showing up in all the browsers.