Jump to content

Microsoft Edge will now let you know if your password is compromised


Recommended Posts

Microsoft Edge will now let you know if your password is compromised  

Yesterday, Microsoft announced a bunch of new features coming to its Edge browser, including sidebar search, history sync, and more. Another nifty capability coming to the browser is Password Monitor, which alerts you if you are using unsafe credentials. The service began rolling out to Insiders back in June 2020 and is now being made available to the general public in Edge 88. Microsoft has detailed the feature in a dedicated blog post.

 

1603645708_microsoft_edge_stable_12_stor

 

Password Monitor is the outcome of collaboration between the Edge product team and a former Microsoft Research incubation group called the "Cryptography and Privacy Research Group". The underlying technology is based on homomorphic encryption and is built on top of the Microsoft SEAL homomorphic encryption library.

 

Simply stated, Password Monitor contacts a server periodically and verifies that the credentials you have saved in Edge are not present in a database of breached credentials. If they are, the user is immediately alerted and asked to change them. It is important to note that neither Microsoft nor any other third-party can see your credentials, with the technology also secure against man-in-the-middle attacks so a malicious actor cannot hijack your password during transit between your browser and the server.

 

Microsoft has also modified its SEAL library to ensure multi-platform support on various architectures including ARM, x86, and Mac, and it is also compatible with low-end devices. The firm has described the principles of homomorphic encryption in its blog post as well for our more cybersecurity-savvy readers. Microsoft has emphasized that the process consumes minimal network bandwidth, optimizes CPU utilization, and that the Password Monitor service is capable of handling a "large number" of client requests.

 

Password Monitor will be made available to Edge users on a rolling basis so it will not be immediately visible to everyone. You can head over to the dedicated supported page to find out how to enable it.

 

 

Microsoft Edge will now let you know if your password is compromised

Edited by Karlston
Remove title link
Link to post
Share on other sites

Chrome and Edge want to help with that password problem of yours

The line between browsers and password managers is blurring.

Please don't do this.
Enlarge / Please don't do this.
Getty Images

 

If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

 

Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.

 

As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

 

“Microsoft Edge offers a built-in strong password generator that you can use when signing up for a new account or when changing an existing password,” members of Microsoft’s Edge team wrote. “Just look for the browser-suggested password drop down in the password field and when selected, it will automatically save to the browser and sync across devices for easy future use.”

 

Edge 88 is also rolling out a feature called the "password monitor." As the name suggests, it monitors saved passwords to make sure none of them are included in lists compiled from website compromises or phishing attacks. When turned on, the password monitor will alert users when a password matches lists published online.

 

Checking passwords in a secure way is a difficult task. The browser needs to be able to check a password against a large, always-changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.

 

In an accompanying post also published Thursday, Microsoft explained how that’s done:

Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. Normally, it does not make sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that “adds” these ciphertexts and returns an encryption of 12, the sum of 5 and 7.

 

First, the client communicates with the server to obtain a hash H of the credential, where H denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an Oblivious Pseudo-Random Function (OPRF). Since only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H(k) and send the resulting ciphertext Enc(H(k)) to the server. The server then evaluates a matching function on the encrypted credential, obtaining a result (True or False) encrypted under the same client key. The matching function operation looks like this: computeMatch(Enc(k), D). The server forwards the encrypted result to the client, who decrypts it and obtains the result.

 

In the above framework, the main challenge is to minimize the complexity of the computeMatch function to obtain good performance when this function is evaluated on encrypted data. We utilized many optimizations to achieve performance that scales to users’ needs.

Not to be outdone, members of the Google Chrome team this week unveiled password protections of their own. Chief among them is a fuller-featured password manager that’s built into the browser.

 

“Chrome can already prompt you to update your saved passwords when you log in to websites,” Chrome team members wrote. “However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).”

 

Chrome 88 is also making it easier to check if any saved passwords have wound up on password dumps. While password auditing came to Chrome last year, the feature can now be accessed using a security check similar to the one shown below:

chrome-password-audit.gif
Google

 

Many people are more comfortable using a dedicated password manager because they offer more capabilities than those baked into their browser. Most dedicated managers, for instance, make it easy to use dice words in a secure way. With the line between browsers and password managers beginning to blur, it’s likely only a matter of time until browsers offer more advanced management capabilities.

 

 

Chrome and Edge want to help with that password problem of yours

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...