{"id":716848,"date":"2021-01-21T09:00:27","date_gmt":"2021-01-21T17:00:27","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=716848"},"modified":"2021-01-25T13:17:28","modified_gmt":"2021-01-25T21:17:28","slug":"password-monitor-safeguarding-passwords-in-microsoft-edge","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/password-monitor-safeguarding-passwords-in-microsoft-edge\/","title":{"rendered":"Password Monitor: Safeguarding passwords in Microsoft Edge"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_Monitor_NoLogo.gif\" alt=\"\"\/><\/figure>\n\n\n\n<p>One of the biggest pillars for Microsoft Edge is trust. Today, to further bolster that trust while keeping our customers safe, we introduce a new feature called Password Monitor. The feature notifies users if any of their saved passwords have been found in a third-party breach. All this is done while ensuring Microsoft doesn\u2019t learn the user\u2019s passwords. The underlying technology ensures privacy and security of the user\u2019s passwords, which means that neither Microsoft nor any other party can learn the user\u2019s passwords while they are being monitored.<\/p>\n\n\n\n<p>This unique security feature is possible due to pioneering cryptography research and technology incubation done here at Microsoft Research. The feature is a culmination of our research on <em><a href=\"https:\/\/www.microsoft.com\/en-us\/research\/project\/homomorphic-encryption\/#:~:text=Yesterday,%20Microsoft%20with%20the%20goal%20to%20standardize%20homomorphic,Cryptography%20Research%20group%20at%20Microsoft.%20December%2004,%202018.\">homomorphic encryption<\/a><\/em> and its practical applications. It is the result of a collaboration between former research incubation group, <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/group\/cryptography-research\/\">the Cryptography and Privacy Research Group<\/a>, and Edge product team. The teams have built on the <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/project\/microsoft-seal\/\">Microsoft SEAL homomorphic encryption library<\/a> to implement a new protocol to bring Password Monitor to our Edge users.<\/p>\n\n\n\n<p>At a high level, when a password is saved in Edge, the browser needs to contact a server to check if the password was found in a breached list. It is also necessary to periodically check this in case there are new instances of breached passwords found. The most important aspect is that the Edge servers must never learn any information about the client\u2019s usernames or passwords. It is also important to ensure that no outside party is able to gain access to this information while it travels between users and Edge servers (as in man-in-the-middle attacks).To learn how to enable Password Monitor in the Edge browser and access a list of frequently asked questions, read the <a class=\"msr-external-link glyph-append glyph-append-open-in-new-tab glyph-append-xsmall\" href=\"https:\/\/aka.ms\/passwordmonitor\">Password Monitor support page<span class=\"sr-only\"> (opens in new tab)<\/span><\/a>.<\/p>\n\n\n\n<div class=\"annotations \" data-bi-aN=\"margin-callout\">\n\t<ul class=\"annotations__list card depth-16 bg-body p-4 annotations__list--right\">\n\t\t<li class=\"annotations__list-item\">\n\t\t\t\t\t\t<span class=\"annotations__type d-block text-uppercase font-weight-semibold text-neutral-300 small\">Publication<\/span>\n\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/labeled-psi-from-fully-homomorphic-encryption-with-malicious-security\/\" target=\"_self\" class=\"annotations__link font-weight-semibold text-decoration-none\" data-bi-type=\"annotated-link\" aria-label=\"Labeled PSI from Fully Homomorphic Encryption with Malicious Security\" data-bi-aN=\"margin-callout\" data-bi-cN=\"Labeled PSI from Fully Homomorphic Encryption with Malicious Security\">\n\t\t\t\tLabeled PSI from Fully Homomorphic Encryption with Malicious Security&nbsp;<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span>\n\t\t\t<\/a>\n\t\t\t\t\t<\/li>\n\t<\/ul>\n<\/div>\n\n\n\n<div class=\"annotations \" data-bi-aN=\"margin-callout\">\n\t<ul class=\"annotations__list card depth-16 bg-body p-4 annotations__list--left\">\n\t\t<li class=\"annotations__list-item\">\n\t\t\t\t\t\t<span class=\"annotations__type d-block text-uppercase font-weight-semibold text-neutral-300 small\">Publication<\/span>\n\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/fast-private-set-intersection-homomorphic-encryption\/\" target=\"_self\" class=\"annotations__link font-weight-semibold text-decoration-none\" data-bi-type=\"annotated-link\" aria-label=\"Fast Private Set Intersection from Homomorphic Encryption\" data-bi-aN=\"margin-callout\" data-bi-cN=\"Fast Private Set Intersection from Homomorphic Encryption\">\n\t\t\t\tFast Private Set Intersection from Homomorphic Encryption&nbsp;<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span>\n\t\t\t<\/a>\n\t\t\t\t\t<\/li>\n\t<\/ul>\n<\/div>\n\n\n\n<p>From the onset, this was a huge challenge for the teams. Microsoft Edge powers millions of users and supports a range of devices, old to new, with varying storage, computing power, and connectivity. We want to ensure that every Edge user on every platform can trust and benefit from this feature. For this, the Microsoft SEAL library was modified to support low-end devices, to have multi-platform support (Mac, ARM, x86), and to optimize the protocol for network efficiency. The protocol is based on the research done by the cryptography research team, presented in two papers: \u201c<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/fast-private-set-intersection-homomorphic-encryption\/\">Fast Private Set Intersection from Homomorphic Encryption<\/a>\u201d and \u201c<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/publication\/labeled-psi-from-fully-homomorphic-encryption-with-malicious-security\/\">Labeled PSI from Fully Homomorphic Encryption with Malicious Security<\/a>.\u201d<\/p>\n\n\n\n<h2 id=\"how-password-monitor-secures-your-information\">How Password Monitor secures your information<\/h2>\n\n\n\n<p>Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. Normally, it does not make sense to \u201cadd\u201d these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that \u201cadds\u201d these ciphertexts and returns an encryption of 12, the sum of 5 and 7.<\/p>\n\n\n\n<p>First, the client communicates with the server to obtain a hash <em>H<\/em> of the credential, where <em>H<\/em> denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an O<em>blivious Pseudo-Random Function (OPRF)<\/em>. Since only the server knows the hash function <em>H<\/em>, the client is prevented from performing an efficient <em>dictionary attack <\/em>on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt <em>H(k)<\/em> and send the resulting ciphertext <em>Enc(H(k))<\/em> to the server. The server then evaluates a matching function on the encrypted credential, obtaining a result <em>(True or False)<\/em> encrypted under the same client key. The matching function operation looks like this: <em>computeMatch(Enc(k), D)<\/em>. The server forwards the encrypted result to the client, who decrypts it and obtains the result.<\/p>\n\n\n\n<p>In the above framework, the main challenge is to minimize the complexity of the <em>computeMatch<\/em> function to obtain good performance when this function is evaluated on encrypted data. We utilized many optimizations to achieve performance that scales to users\u2019 needs. Check out both papers mentioned and linked earlier for a description of these optimizations and details on how the protocol works.<\/p>\n\n\n\n\n\t<div class=\"border-bottom border-top border-gray-300 mt-5 mb-5 msr-promo text-center text-md-left alignwide\" data-bi-aN=\"promo\" data-bi-id=\"1085496\">\n\t\t\n\n\t\t<p class=\"msr-promo__label text-gray-800 text-center text-uppercase\">\n\t\t<span class=\"px-4 bg-white display-inline-block font-weight-semibold small\">Spotlight: Blog post<\/span>\n\t<\/p>\n\t\n\t<div class=\"row pt-3 pb-4 align-items-center\">\n\t\t\t\t\t\t<div class=\"msr-promo__media col-12 col-md-5\">\n\t\t\t\t<a class=\"bg-gray-300\" href=\"https:\/\/www.microsoft.com\/en-us\/research\/blog\/eureka-evaluating-and-understanding-progress-in-ai\/\" aria-label=\"Eureka: Evaluating and understanding progress in AI\" data-bi-cN=\"Eureka: Evaluating and understanding progress in AI\" target=\"_blank\">\n\t\t\t\t\t<img decoding=\"async\" class=\"w-100 display-block\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2024\/09\/NEWEureka-2024-BlogHeroFeature-1400x788-1-66e90c195464d.jpg\" alt=\"White icons representing the Eureka Experiment Pipeline -- PromptProcessing, Inference, PromptProcessing, Inference, DataProcessing, EvalReporting -- on blue to green gradient background.\" \/>\n\t\t\t\t<\/a>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"msr-promo__content p-3 px-5 col-12 col-md\">\n\n\t\t\t\t\t\t\t\t\t<h2 class=\"h4\">Eureka: Evaluating and understanding progress in AI<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t<p class=\"large\">How can we rigorously evaluate and understand state-of-the-art progress in AI? Eureka is an open-source framework for standardizing evaluations of large foundation models, beyond single-score reporting and rankings. Learn more about the extended findings.\u00a0<\/p>\n\t\t\t\t\n\t\t\t\t\t\t\t\t<div class=\"wp-block-buttons justify-content-center justify-content-md-start\">\n\t\t\t\t\t<div class=\"wp-block-button\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/blog\/eureka-evaluating-and-understanding-progress-in-ai\/\" class=\"btn btn-brand glyph-append glyph-append-chevron-right\" aria-label=\"Read more\" data-bi-cN=\"Eureka: Evaluating and understanding progress in AI\" target=\"_blank\">\n\t\t\t\t\t\t\tRead more\t\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div><!--\/.msr-promo__content-->\n\t<\/div><!--\/.msr-promo__inner-wrap-->\n\t<\/div><!--\/.msr-promo-->\n\t\n\n\n\n<p>To optimize the performance of our protocol, we further shard the database <em>D <\/em>of breached credentials, according to the first two bytes of a certain hash function applied to the username. When the browser submits a query, it will compute these two bytes from the username and send it along with the encrypted credentials. Suppose the database <em>D<\/em> consists of 4 billion credentials, then after sharding each subset, it will contain about 60,000 credentials on average. This significantly improves efficiency since the server only needs to perform the homomorphic evaluation on one such subset for each query.<\/p>\n\n\n\n<p>The entire library has been optimized to run efficiently on the diverse set of devices, from the lowest end to the high end, and varied platforms supported by Edge. The core principles behind the optimization were to keep the Edge binary minimal, consume less network bandwidth, and ensure minimal impact to battery (in laptops) while keeping the CPU utilization to a minimum, both on the client side and the server side. It also required supporting a large number of clients.<\/p>\n\n\n\n<p>At Microsoft, we are glad to bring this first consumer application that utilizes homomorphic encryption to help protect our users. We will continue to build on this to enable all developers to deploy such secure services using Homomorphic Encryption and other privacy-preserving technologies. Check out the <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/group\/cryptography-research\/\">Cryptography and Privacy Research Group page<\/a> for more information on homomorphic encryption and other projects, and reach out to us if you are interested.<\/p>\n\n\n\n<h2 id=\"acknowledgements\">Acknowledgements<\/h2>\n\n\n\n<p>Password Monitor is the result of a great collaboration between former research incubation group, Cryptography and Privacy Research Group, and Microsoft Edge, with members including the authors of this post along with: Suhrid Palsule, Tulasi Menon, Ankit Jain, Prasenjit Mukherjee, Gurpreet Virdi, Austin Orion, Carlos Frias, Shabnam Erfani, Hamed Khanpour, Steven Chith, Melissa Chase, Esha Ghosh, Wei Dai, Qiaofei Ye, and Hao Chen (former Microsoft Senior Researcher). <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the biggest pillars for Microsoft Edge is trust. Today, to further bolster that trust while keeping our customers safe, we introduce a new feature called Password Monitor. The feature notifies users if any of their saved passwords have been found in a third-party breach. All this is done while ensuring Microsoft doesn\u2019t learn [&hellip;]<\/p>\n","protected":false},"author":38838,"featured_media":718945,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"categories":[1],"tags":[],"research-area":[13558],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-716848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-blog","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[],"related-projects":[438444],"related-events":[],"related-researchers":[{"type":"user_nicename","value":"Kim Laine","user_id":32546,"display_name":"Kim Laine","author_link":"<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/kilai\/\" aria-label=\"Visit the profile page for Kim Laine\">Kim Laine<\/a>","is_active":false,"last_first":"Laine, Kim","people_section":0,"alias":"kilai"},{"type":"user_nicename","value":"Radames Cruz Moreno","user_id":38898,"display_name":"Radames Cruz Moreno","author_link":"<a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/racruzmo\/\" aria-label=\"Visit the profile page for Radames Cruz Moreno\">Radames Cruz Moreno<\/a>","is_active":false,"last_first":"Cruz Moreno, Radames","people_section":0,"alias":"racruzmo"}],"msr_type":"Post","featured_image_thumbnail":"<img width=\"960\" height=\"540\" src=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-960x540.jpg\" class=\"img-object-cover\" alt=\"A flow chart showing how information is passed between a user and the password monitor service.\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-960x540.jpg 960w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-300x169.jpg 300w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-1024x576.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-768x432.jpg 768w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-1536x865.jpg 1536w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-2048x1153.jpg 2048w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-16x9.jpg 16w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-1066x600.jpg 1066w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-655x368.jpg 655w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-343x193.jpg 343w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-640x360.jpg 640w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-1280x720.jpg 1280w, https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2021\/01\/1400x788_Password_monitor_still_No_logo-1920x1080.jpg 1920w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/>","byline":"Kristin Lauter, Sreekanth Kannepalli, <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/kilai\/\" title=\"Go to researcher profile for Kim Laine\" aria-label=\"Go to researcher profile for Kim Laine\" data-bi-type=\"byline author\" data-bi-cN=\"Kim Laine\">Kim Laine<\/a>, and <a href=\"https:\/\/www.microsoft.com\/en-us\/research\/people\/racruzmo\/\" title=\"Go to researcher profile for Radames Cruz Moreno\" aria-label=\"Go to researcher profile for Radames Cruz Moreno\" data-bi-type=\"byline author\" data-bi-cN=\"Radames Cruz Moreno\">Radames Cruz Moreno<\/a>","formattedDate":"January 21, 2021","formattedExcerpt":"One of the biggest pillars for Microsoft Edge is trust. Today, to further bolster that trust while keeping our customers safe, we introduce a new feature called Password Monitor. The feature notifies users if any of their saved passwords have been found in a third-party&hellip;","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/716848"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/38838"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/comments?post=716848"}],"version-history":[{"count":12,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/716848\/revisions"}],"predecessor-version":[{"id":720658,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/716848\/revisions\/720658"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media\/718945"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=716848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/categories?post=716848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/tags?post=716848"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=716848"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=716848"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=716848"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=716848"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=716848"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=716848"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=716848"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=716848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}