Forum Discussion
Autofill Blog #2: Password Security
The last blog post on Autofill in Microsoft Edge received several comments and inquiries from readers on Password Storage and Security. We understand this is a subject of great interest and concern t...
Suhrid_Palsule
Microsoft
MicrosoftHi saltukkos, thank you for your feedback! Responses below:
- Add re-authentication to FoAS: Yes, this is under consideration (as discussed in the blog post; see Master Password). However, FoAS is useful in it's own right as it defends against certain types of security attacks - read more here.
- Viewing passwords in the HTML: This is a known fact and not a vulnerability. When you offer a website your username and password – either by entering it in manually OR via autofill – the website now has access to these text entries as is evident by using F12 and seeing them in the website HTML.
Autofill functionality simply mimics the user action of manually entering the username/password text into the respective form fields and saves time and manual effort.
If an unauthorized person is viewing the password using Dev tools, this means that the device is no longer secure. As stated in the blog-post, such threats (classified as physically-local attacks) are outside the Security Threat Model of the Password Manager. - Why ask for authentication during the ‘View Saved Passwords’ user flow when they can been viewed in the site HTML: First, you will find that you cannot use the same F12 approach to make passwords visible in Settings. This is because at this point they’re still stored securely with the browser and not yet auto-filled into the website. So they can be made visible only the after due authentication. Once they’re auto-filled, however, this is as good as having been entered manually (as explained above) . And therefore being able to view them through Developer Tools is not a vulnerability and asking for authentication in the Settings View flow is appropriate from a security perspective.
- Master Password: As stated in the blog post, we are considering this. And yes, this will ensure that autofill only works after due authentication is provided.
- Non-secure, non-usable: Current browser, as explained above, is not non-secure or non-usable.
In closing, it might be helpful to look at a simplified version of the Password Manager security model from a user’s perspective (Note: This is a simplified version and does not cover all aspects of the feature😞
Password storage: Encrypted on disk
View password in Settings: Blinded by default, can’t be exposed via F12. Need OS authentication to make visible
Auto-fill into websites:
- Regular mode: auto-fill works without additional user input
- FoAS (available via flag): Requires user to choose account that she wants to autofill and prevents user from certain types of Phishing attacks
- Master Password: similar to FoAS but with an additional authentication check
Hope this helps!
Does the data remain encrypted during sync over the web? Suhrid_Palsule
- Suhrid_Palsule
mikemuch Passwords stay encrypted during transit as well as in cloud storage.
- Hi,
I would like my passwords saved in the new Edge browser be accessible to all of the programs and apps installed on Windows 10, would it be possible when Edge stable is released?- Suhrid_Palsule
HotCakeX This was a capability offered by legacy Microsoft Edge browser. Where all your Website and Windows App passwords were stored in the Credential Manager.
In the new Microsoft Edge, passwords are stored in a different location (App data folder) and on a per profile basis. There is currently no ability to autofill these passwords on Windows apps.
- Suhrid_Palsule
mikemuch Yes
