Microsoft’s Edge browser to get breached credential alerts

After re-Chroming its Edge browser last summer, Microsoft this week announced a list of new security and privacy features it plans to add to forthcoming versions in an effort to take on its rivals.

The first of these, tracking prevention, has been in the browser for months, but was recently redesigned to make it stand out a bit more.

The second is that Edge’s InPrivate mode searches are, as of last week, possible via the company’s Bing search engine.

The third is called Password Monitor, a feature that will tell Edge users when usernames and passwords they’ve entered on a website have been found on the dark web.

These sound very similar to features already available in rivals, which is why it’s worth delving into the newer two in a little more detail to draw out some of the differences.

Starting with Password Monitor, the most significant of the new features, which should appear in Edge at some point soon (it’s not clear when, given that Microsoft has paused updates apart from security fixes because of disruption caused by Covid-19).

Essentially, every time credentials are saved into Edge’s password store (rather than into a third-party password manager) it checks to see whether these are already part of a database of those known to have been breached.

If they are, Edge will tell the user, suggesting they change them. All credentials detected to be breached will be viewable in a special dashboard.

There are two issues with this, the first being what data source Microsoft is checking the credentials against.

For example, Mozilla’s Firefox, which started integrating this feature as Firefox Monitor as long ago as 2018, uses a service called Have I Been Pwned (HIBP). So far, the implication is that Microsoft will use its own inhouse database, perhaps combined with an external source.

The second is how it will do the checking, which for plaintext email addresses is relatively simple – just look up the user’s email address in a database of breached email addresses.

For passwords, things get a lot more complicated. It’s not just that the user’s password can’t be leaked to Microsoft or a man-in-the-middle, but that the feature doesn’t become an inadvertent lookup for criminals looking in the opposite direction.

Both Firefox, and Google Chrome’s Password Checkup extension which appeared in 2019, use a variety of mathematical techniques, including the principle of k-anonymity, blinding, and multiple rounds of hashing.

There are some subtle differences, however, which probably don’t matter to the average user, but which bother engineers. Hopefully, Microsoft will share more detail on this aspect of Edge’s Password Monitor at some point.

Available now, InPrivate with Bing sounds like a statement of the obvious: private browsing shouldn’t monitor which sites someone is visiting when using it.

In fact, while private anonymous modes don’t record what users have been looking at within the browser itself, that doesn’t mean Google itself isn’t paying attention to searches.

However, Microsoft claims that searches won’t be tied to a user’s account, as long as Bing is used.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.