Microsoft: Here’s how our new password-monitoring system actually works

Just as Google starts rolling out new password protection features in Chrome 88, Microsoft has revealed the inner workings of its password monitor features in its Chromium-based Edge browser. 

The stable version of Microsoft Edge version 88 gained the Password Monitor feature, which Microsoft announced in March 2020

Not to be confused with a password manager, this is Microsoft’s alert for passwords that have been exposed in data breaches and leaked online. Google added a feature to Chrome in 2019; Mozilla started testing its password breach alert service in 2018

SEE: Network security policy (TechRepublic Premium)

Browser makers are keen to get us to sign-in, but how do you get users to sign in to a browser when there’s no perceived value beyond syncing browsers across desktop and mobile? Security, or more specifically, a security service that alerts the users to a password that’s been leaked online could be a key benefit here.

Like other browser-based password breach notification services, Microsoft’s Password Monitor alerts Edge users if any of their passwords saved in the browser’s password manager match a password exposed in a data breach.  

“When you turn on Password Monitor, Microsoft Edge  checks the passwords you’ve saved in the browser against a large database of known leaked passwords that are stored in the cloud. If any of your passwords match those in the database, they’ll appear on the Password Monitor page in Microsoft Edge Settings. Any passwords listed there are no longer safe to use and you should change them immediately,” Microsoft notes in a support page

“Make sure you’re signed in to Microsoft Edge using your Microsoft account or your work or school account,” it says. 

Microsoft, Google and Mozilla don’t actually see the user’s passwords for websites. As Microsoft researchers point out: “The underlying technology ensures privacy and security of the user’s passwords, which means that neither Microsoft nor any other party can learn the user’s passwords while they are being monitored.”

Microsoft explains its approach with Edge relies on “homomorphic encryption” and offers a plain language description of what it’s doing to monitor passwords without actually viewing them. Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first, the researchers explained. 

“At a high level, when a password is saved in Edge, the browser needs to contact a server to check if the password was found in a breached list. It is also necessary to periodically check this in case there are new instances of breached passwords found,” Microsoft researchers explain. 

SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network

Edge servers must not learn any information about a person’s usernames or passwords, and ensure that potential attackers can’t access information while the check happens – which involves looking at traffic as it travels between users and Edge servers, just like a man-in-the-middle attack.

Microsoft’s researchers said they have built on the Microsoft SEAL homomorphic encryption library to implement a new protocol to bring Password Monitor to Edge users. This meant modifying the library to support low-end devices, to have multi-platform support (Mac, ARM, x86), and to optimize the protocol for network efficiency.