Forum Discussion

Microsoft

Oct 29, 2019

Autofill Blog #2: Password Security

The last blog post on Autofill in Microsoft Edge received several comments and inquiries from readers on Password Storage and Security. We understand this is a subject of great interest and concern to many – and therefore have responded to all queries in the form of this blog post dedicated solely to the subject of password security.

What are Password Managers? Why should you save your passwords in Microsoft Edge? Is it safe to store passwords in Microsoft Edge?

Passwords are among the most sensitive types of data online; we recognize this and hence have strong measures in place to protect them. Passwords saved to Microsoft Edge (v76 and later) are stored in the Password Manager. Here’s how a Password Manager helps improve your overall online security:

Convenient, Reliable & Secure: A Password Manager allows you to use strong and unique passwords for each one of your internet accounts without the burden of having to remember them – the Password Manager saves and remembers all your passwords. Using a browser-based Password Manager is among the most convenient, secure and reliable ways of storing Passwords (as opposed to relying on human memory or other manual alternatives); the latter methods can often lead to bad password practices such as using easy-to-guess passwords, or re-using the same password across different accounts.
Protection against Phishing: The Password Manager recognizes web forms by storing and remembering a unique digital signature for each form. It uses this signature to fill in the right username and password for the respective website. In the instance that a Phishing (when a bad actor creates a fake website that looks same as the original) website or form is encountered, the Password Manager will act as a phishing defense as it won’t fill in the username or password for this as the form signature won’t match with the original, thereby protecting you and your online account.

How are passwords stored? What types of security measures are in place to protect this data?

Passwords are stored encrypted on disk. The type of encryption is specific to the platform. For example:

On Windows, passwords are encrypted using the Data Protection API. This ties your passwords to your OS user account, meaning they are encrypted using a key that can only be accessed by processes running as the same logged-on user. These passwords get decrypted and are available for use only after you log into Windows
On macOS, credentials are stored in "Login Data" in the Microsoft Edge users’ profile directory. They are also encrypted on disk with a key that is then stored in the user's Keychain

While there are several measures in place to ensure the security of stored passwords users can further bolster your security by following good practices such as:

Ensuring that you log out of your OS session once your work is done
Installing applications and extensions only from trusted sources

Will Microsoft Edge continue to use the Credential Manager for storing Passwords?

For a long time, Internet Explorer and Microsoft Edge (v18 and earlier) passwords were stored in the Credential Manager. However, the new Microsoft Edge (v76 and later) will no longer store Passwords in the Credential Manager. [Credential Manager is a dedicated Windows application that stores web account passwords from Microsoft’s two browsers and passwords for other Windows apps].

The new Microsoft Edge will store passwords in a different location (a separate dedicated folder inside the Application Data folder of the Microsoft Edge app); this folder will contain all your web passwords (in encrypted form, as described earlier. You can refer to the previous Autofill post for details on how to access and manage all your web credentials.

I’m worried about saving passwords to the browser and using Autofill because others could log into my accounts or see all my passwords.

There are primarily two categories of concerns raised with respect to Passwords and Autofill:

Autofill related: That anyone can access (accidentally or intentionally) any of your online accounts via the password autofill functionality
Access Passwords directly: That someone would be able to steal (or at least take a look at) all your passwords as they are stored in a single location

Both of these above concerns are fair. While passwords are stored encrypted at rest, within an active Windows session there are several ways in which passwords can be accessed by anyone who has access to the computer. Physically-local attacks are extremely hard to defend against in general. It is therefore important that you:

Lock or log out of your OS once your work is done or you’re away from your device
Use separate OS login accounts if the device is shared among multiple people.

While it’s possible to do more than just this, even such simple steps go a long way in reducing exposure of your sensitive data. Read on for some more steps that can help you address some of these concerns and improve your password security.

How can I ensure that only I can access and use the passwords I’ve saved?

As suggested earlier, practices such as locking your computer and using separate OS login accounts are great ways to ensure that only you have access to your passwords and other sensitive data. However, there might be times when others need to access the web using your browser. In such cases, it could be beneficial to have additional authentication checks added to the regular Autofill workflow.

Master Password: This term describes a functionality which requires re-authentication each time before passwords are filled into a website, thereby adding an additional layer of privacy to your account. Many users have long requested this functionality and we will be experimenting with some potential solutions in this space soon.

By default, Autofill feature works by filling your stored credentials automatically into web forms. If ever the need arises, you can disable this functionality by using the Fill on Account Select feature:

Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)

Does Autofill need multi-factor authentication to work? Are passwords visible right after I login to Windows OS (or macOS), or is additional authentication required?

Autofill by default does not need multi-factor authentication to work. Currently there is no multi-factor auth planned for Autofill feature. Microsoft Edge stores and auto-fills your passwords without needing any additional setup.

[Note: Two-factor authentication for your Microsoft Account (MSA) and Azure Active Directory (AAD) identities is something that we will begin testing soon. Enabling this will add an extra layer of protection to your signed-in Microsoft Edge ; you are encouraged to set-up 2FA as an additional safeguard for your account].

With regard to making passwords visible, passwords are always masked in the browser by default. This is to prevent ‘shoulder surfing’ – the possibility of someone looking over your shoulder seeing your passwords. To be able to view your passwords you need to re-authenticate (type your OS login password again) when prompted, to make sure it is the rightful owner requesting this. Once re-authentication is complete, the passwords can be viewed for a brief after which they become hidden again.

What about profiles and passwords? I have two profiles – one for work and another personal one. Are the passwords for these two stored separately? Can some of the passwords be shared between multiple profiles?

Passwords are segmented by User Profile. They are stored in a separate folder (one for each profile) and cannot be shared between different profiles. This is because profiles are designed to be independent and can have different identity attached to each. It is also for this reason, that sharing passwords between profiles is not possible.

However, there are ways in which passwords sharing or importing from one profile to another can be supported in a way that is safer for users. Options on this are being explored as of today. Further updates on this will be shared via future blog posts.

Can I export all my Passwords?

Yes, this feature is now available across channels. This process requires reauthentication, meaning you need to enter your OS authentication in order to confirm it’s the rightful owner asking for this.

You can export passwords by following the below steps:
Go to Settings > Profile > Passwords and clicking on the ‘More Menu’ at the start of the table.
You will then get a dialog asking you to confirm this decision.
Finally, reauthenticate yourself when the dialog appears, and the file will get exported

We strongly recommend being extremely careful with the exported file and taking this step only if necessary.

I want Microsoft Edge to create a password for me when I’m signing into a new account

There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same.

Is the native browser Autofill disabled when a 3^rd party password manager is installed?

This is true for certain password manager applications as of today. If an extension is provided permission to “Change your privacy-related settings”, and make itself the autofill provider for the browser.

What happens to my passwords and other personal data if I delete a channel (like Stable, Canary, Developer or Beta) but not personal data – will I get it back after re-installation?

If you choose to uninstall any particular Microsoft Edge Channel and not clear your browsing data, all your older data will reappear if you re-install the same Channel again. For example, on Windows you will get an option like the one shown below – do not select the checkbox if you don’t want to clear your browsing data.

However, we recommend turning on Sync (Settings > Profile > Sync) and letting sync roam your data across channels as the best way to ensure you never lose your data.

How can I bulk-delete all of my passwords?

You can go to Settings> Privacy and Services > Clear Browsing Data > Passwords to delete all passwords at once.

HotCakeX
MVP
Oct 30, 2019
Elliot Kirk
Thanks great article.
Please also add the option to "Suggest strong password" just like in Google chrome.

it's very great security feature and since our passwords will be automatically kept in Edge insider browser and synced to all of our devices, we won't need to bother remembering that long and strong password. 🙂
- Suhrid_Palsule
  Microsoft
  Oct 30, 2019
  HotCakeX There is mention of Strong Password Generator in the blogpost above. Re-posting that part below for easy reference:
  
  "I want Microsoft Edge to create a password for me when I’m signing into a new account
  
  There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same."
  - HotCakeX
    MVP
    Nov 01, 2019
    Thanks 🙂
- sayjay09
  Iron Contributor
  Apr 23, 2020
  I agree, I cannot wait for this feature to be trialled and rolled out.
  - Suhrid_Palsule
    Microsoft
    Apr 23, 2020
    Hi sayjay09, glad you liked the post. Can you share which feature you're referring to in your last response? Thank you.
Henry-Williams1889
Iron Contributor
Nov 03, 2019
Elliot Kirk
May I suggest a little more than having Edge create a strong password which is an obvious feature that Edge should have. Create a way to import passwords from Google Chrome into Microsoft Edge.

Chrome Password feature locks people into Google's Browser when it suggests passwords that are hard to memorize, and promises to keep them safely. If you don't give people a way out of Chrome stranglehold on passwords, you'll NEVER get these people to use Edge!

Google is intently locking people into Chrome using subtle ways! They could provide password managers that are outside the browser like Last Pass and Firefox, but they made it inbuilt to lock you in their browser. You need to provide a way out of Google stranglehold.

Proposition for Ms Edge to win more users
I suggest that Edge should have an inbuilt or a bundled download accelerator like IDM as one it's greatest strength. Faster downloads will be a compelling reason for many people to switch to Chrome, it may win 40% of Chrome users within 2 yrs.

Google business model involves looking for products that people do not want to pay for, then they develop provide for free and monetize their data. Microsoft business model involves creating products that people would want, then look for a way to sell, however, Google business model has proven to eat into Microsoft revenues. Sales of Ms Office dropped when Google offered Google Docs for free.

In the spirit of Google's business model, I suggest that Microsoft build a free download accelerator and bundle it with Edge or make it inbuilt in Edge. We don't want to pay for download accelerators - provide it for free, win more users, monetize data. We have lots of PC's in our business, and we don't allow the installation of illegally downloaded software and we don't like paying for IDM for all these PC's. We would want everyone to have IDM but it just doesn't make any economic sense.

There's sufficient incentive for Microsoft to do develop a download accelerator, you want more people to use edge, and you want your ad revenues to keep swelling. There's a bigger pay off so it makes sense to commit resources to develop this. I am not sure if there will be antitrust issues, I know you have a dedicated legal team for that. The last time I checked, IDM extension had 10 Million users on Chrome Web store. Those who have downloaded IDM illegally and use the extension without installing directly from the store could be in the range of hundreds of millions. These people don't want to pay for IDM. Stop them from downloading illegal software that keeps failing every time the web changes, and it constantly needs an update, give them for free but have it deeply integrated into Microsoft ecosystem, then monetize their data - Fair trade!

Extensions to aid Microsoft Eco-system
Once you're done with building your browser, build an extension similar to Gmail Email Checker for providing notification for outlook.com emails. It's these little things that have kept us in Google Ecosystem. If you have 4 Gmail accounts and you want to keep tabs in all of them, Gmail Email Checker will provide you with notifications, you don't need to keep logging in and out of 4 accounts. They have deeply integrated this extension with Google ecosystem so that the moment you allow this extension to notify you of your email, it also logs you in Google search. This way, Google is able to know who is performing searches then show them ads, the logic being, if you want free Gmail, we will record what you search and show you ads, fair to me and to most people, there's no way around it.

Microsoft should also have an outlook notifier that is deeply integrated with it's ecosystem. If you want free email from Microsoft and you want to be notified of all your 8 - 10 mailboxes that we provide for you for free, then agree to let us log you in our browser, and sync your data to our servers then show you relevant ads based on this collected data. You can install an adblocker if you like.

Notifiers for outlook.com that have been developed by third parties have serious privacy issues, they claim to anonymize your data from commercial emails, they copy your data and emails to their servers and sell to advertisers. They tell you straight to the face and they have no shame. They think it's right to copy your emails.

Google has these little stuff that has hooked me into their ecosystem and I want to leave for Microsoft which has a better email, but I just can't leave - which is a loss for Microsoft and a win for Gmail with their Gmail ads. Microsoft, I know you're listening, don't give us any reason to leave Microsoft and go back to Google services.
- Suhrid_Palsule
  Microsoft
  Nov 04, 2019
  Thanks a lot, Henry-Williams1889 for your detailed feedback! It's heartening to hear such helpful feedback directly from users. I have forwarded the same to the respective teams who work on downloads and Outlook.
vctgomes
Iron Contributor
Oct 30, 2019
Elliot Kirk I miss a feature to sync my Edge's Passwords with a 3rd party apps on Android, like happens on Mozilla (With its app called LockWise) and Google (With its Google SmartLock).

For example: if I try to sign in on Netflix, I need to go to the Edge, passwords, copy manually and past on Netflix app. If I saved my passwords on Chrome, it'd be synced with Google SmartLock and I could sing in easily.
- Suhrid_Palsule
  Microsoft
  Nov 01, 2019
  vctgomes Thanks a lot for sharing your feedback. This is a fair expectation (autofill on mobile apps and websites) and we are looking into this.
  - vctgomes
    Iron Contributor
    Nov 01, 2019
    Suhrid_Palsule You're welcome! I'm happy to help and see the Microsoft hear our feedbacks too 😄
- fcojavier
  Copper Contributor
  Nov 16, 2019
  estoy completamente de acuerdo con esta necesidad. Es lo único que os falta para que me pase a edge al 100%. Por favor incluid esta posibilidad en android.
saltukkos
Copper Contributor
Nov 08, 2019
Elliot Kirk
Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)
Please add re-authentication step here (at least ability to enable it in this case), just because all your arguments brokes when I press F12 and change input type from "password" to "text", what's the point to use window hello in "view saved passwords" when I can open the site and get the password with two clicks?
You need to implement master password (or use windows hello) when filling sensitive data, in other case it will be default non-secure non-usable browser autofill and everybody will use lastpass and other alternatives.
- Suhrid_Palsule
  Microsoft
  Nov 14, 2019
  Hi saltukkos, thank you for your feedback! Responses below:
  
  Add re-authentication to FoAS: Yes, this is under consideration (as discussed in the blog post; see Master Password). However, FoAS is useful in it's own right as it defends against certain types of security attacks - read more here.
  
  Viewing passwords in the HTML: This is a known fact and not a vulnerability. When you offer a website your username and password – either by entering it in manually OR via autofill – the website now has access to these text entries as is evident by using F12 and seeing them in the website HTML.
  
  Autofill functionality simply mimics the user action of manually entering the username/password text into the respective form fields and saves time and manual effort.
  
  If an unauthorized person is viewing the password using Dev tools, this means that the device is no longer secure. As stated in the blog-post, such threats (classified as physically-local attacks) are outside the Security Threat Model of the Password Manager.
  
  Why ask for authentication during the ‘View Saved Passwords’ user flow when they can been viewed in the site HTML: First, you will find that you cannot use the same F12 approach to make passwords visible in Settings. This is because at this point they’re still stored securely with the browser and not yet auto-filled into the website. So they can be made visible only the after due authentication. Once they’re auto-filled, however, this is as good as having been entered manually (as explained above) . And therefore being able to view them through Developer Tools is not a vulnerability and asking for authentication in the Settings View flow is appropriate from a security perspective.
  
  Master Password: As stated in the blog post, we are considering this. And yes, this will ensure that autofill only works after due authentication is provided.
  
  Non-secure, non-usable: Current browser, as explained above, is not non-secure or non-usable.
  
  In closing, it might be helpful to look at a simplified version of the Password Manager security model from a user’s perspective (Note: This is a simplified version and does not cover all aspects of the feature😞
  
  Password storage: Encrypted on disk
  
  View password in Settings: Blinded by default, can’t be exposed via F12. Need OS authentication to make visible
  
  Auto-fill into websites:
  
  Regular mode: auto-fill works without additional user input
  
  FoAS (available via flag): Requires user to choose account that she wants to autofill and prevents user from certain types of Phishing attacks
  
  Master Password: similar to FoAS but with an additional authentication check
  
  Hope this helps!
  - mikemuch
    Copper Contributor
    Nov 19, 2019
    Does the data remain encrypted during sync over the web? Suhrid_Palsule
GAC2445
Copper Contributor
Nov 05, 2019
I am just wanting to say, GOOGLE EARTH DOESN"T WORK WITH EDGE-CHROMIMUM. MAKE IT THAT YOU CAN SIGIN IN ACCOUNT ON EDGE WITH GOOGLE ACCOUNT> WORK WITH GOOGLE EARTH-GOOGLE ACCOUNT
- HotCakeX
  MVP
  Nov 05, 2019
  This works:
  https://earth.google.com/web/?beta=1
Shyatic
Copper Contributor
Nov 06, 2019
Elliot Kirk I'm hoping to see a proper iOS/Android app for just password management that's integrated into Edge. I use Lastpass and it's fine, but nothing better than an integrated and secure solution.
- Suhrid_Palsule
  Microsoft
  Nov 06, 2019
  Hi Shyatic - we hear you! This is under consideration and you'll hear more about this in the weeks to come. Thanks a lot. 🙂
- fcojavier
  Copper Contributor
  Nov 16, 2019
  estoy completamente de acuerdo con esta necesidad. Es lo único que os falta para que me pase a edge al 100%
CLE_Robbie
Copper Contributor
Nov 06, 2019
Elliot Kirk

We use LastPass Enterprise for password management for our employees. Is there anything in the pipeline that could replace this paid service? Sales, Admin, and Accounting departments have a shared group of passwords that I can assign them so they never see the actual password.
- Shyatic
  Copper Contributor
  Nov 06, 2019
  CLE_Robbie it would be pretty fantastic to have an enterprise ready tool that does password handouts resets much like the tools out on the market now. It would integrate well with 365 as a service both as a consumer and as an enterprise.
- Suhrid_Palsule
  Microsoft
  Nov 08, 2019
  CLE_Robbie Our current Enterprise offerings include a centrally administered ability to Enable/Disable Autofill for each of the three data types - passwords, payments (cards) and personal info. Besides this, there's another set of policies that allow an organisation to classify website URLs as 'important' and prevent re-use of passwords used on those websites elsewhere.
  
  It would be great to know more about what features (besides centralized password sharing and control) would be helpful to your organisation. Feel free to reply on the same thread, so others may also benefit from our discussion 🙂
  - Suhrid_Palsule
    Microsoft
    Nov 08, 2019
    CLE_Robbie Sharing the links to the above described sets of policies.
    
    1. Basic Autofill enable/ disable
    
    Enable/Disable Password autofill
    
    Enable/Disable Payment autofill
    
    Enable/Disable Address autofill
    
    2. Password Protection policies - Link
darkot
Microsoft
Nov 07, 2019
Elliot Kirk This is all nice, but in a mobile first world majority of the time is not about browser passwords. It is about having capability to use the passwords to mobile apps too. So this is why we should not compare this feature to password managers, because they have much better and wider functionality.
sayjay09
Iron Contributor
Apr 23, 2020
Great post Elliot!
Kipopstok
Copper Contributor
Oct 11, 2021
Hi Elliot Kirk, I noticed an issue with the MS password manager when a site uses a two-step verification with a password followed by a pin. I admit it's old fashioned that a site would use this i/o the MS or Google authenticator, but I have sites that do. This means I have to remember each time to ignore the Edge popup asking me to update my password, because if I do, it overwrites the password with the pin. It's a pain, but I don't expect MS to resolve this.
- Suhrid_Palsule
  Microsoft
  Oct 12, 2021
  Kipopstok thanks for sharing this issue. Unfortunately, there are other cases as well where non-password entities are confused by the browser as passwords (One-time-passwords, Credit Card CVV numbers - to cite a few other examples) and lead to the same prompt showing. We would want to such experiences to be reduced to a minimum and make efforts to progress in that direction.
  
  Please feel free to file feedback using Alt + Shift + I to share with us details of where you are experiencing this. Thanks!