Saving passwords

Steel Contributor

In another conversation, I asked why passwords saved in Dev or Canary weren't also saved in the Windows Credential Manager. Eric Lawrence replied thus:

 


@Eric_Lawrence wrote:
FWIW, the lack of Windows Credential Manager support is intentional. The challenge with mixing your new Edge browser credentials in the Windows credential manager is that the Windows Credential manager is per-Windows-Login-Account while the Edge Credential manager is per-Browser-Profile. There can be a one-to-many relationship between these accounts and profiles, and things get even messier when you consider the impact of roaming across multiple machines.

I accepted this because the concept of browser profile was new to me. Now, a few weeks later, I'm looking at the question again and admitting bafflement. It seems obvious that a specific Windows user can have more than one browser profile, but I can't see how there can be a one-to-many relationship between browser profile and Windows user account. How can Windows user B use Edge with Windows user A's profile? If there is a way, then there are some really serious implications!

 

Suppose I have two profiles, Burgess 1 for business and Burgess 2 for personal stuff. Whichever one I'm using at a particular time, I might want to sign in to Google using my burgess@gmail.com address as the username. Am I correct in thinking that if I then change the password for the Google account and ask Edge to save it, it will not be updated on the other profile? So I could potentially have many saved passwords for the same site, with no way of knowing which of them is the current one? 

 

When I view the list of saved passwords at edge://settings/passwords, I have the ability to reveal each one. However, to do so, I have to complete a Windows Security form asking for the Windows user account credentials. So there clearly is already a link between the profile and the user account. So what is the objection to updating the Windows Credential Manager each time Edge saves a password in one of its profiles?

 

Each of my two profiles is associated with a different Microsoft Account. They are syncing to burgess1@msn.com and burgess2@msn.com respectively. While browsing as Burgess 1 and signed in as burgess1@msn.com at a Microsoft property, I can select Burgess 2 to open a new browser session. If I then visit a different Microsoft property in the new session and Sign in, I find that I'm automatically signed in with Burgess 1's credentials. Where did the second site find the access token to let me in without submitting any credentials?

 

Is this working as designed? 

 

3 Replies

@Noel Burgess 

 

This is an interesting question and I am surprised it hasn't been addressed sooner.  Is this issue still present?

 

Gabriel

"How can Windows user B use Edge with Windows user A's profile? If there is a way, then there are some really serious implications!"

you answered your question yourself,
one-to-many relationship between browser profile and Windows user accounts.

"

Suppose I have two profiles, Burgess 1 for business and Burgess 2 for personal stuff. Whichever one I'm using at a particular time, I might want to sign in to Google using my burgess@gmail.com address as the username. Am I correct in thinking that if I then change the password for the Google account and ask Edge to save it, it will not be updated on the other profile? So I could potentially have many saved passwords for the same site, with no way of knowing which of them is the current one? "

Yes. if passwords were saved in Windows credential manager, then there wouldn't be any difference between which profile you use in Edge, because all of them refer to Windows credential manager to fetch and save passwords. if you changed your Google password from one profile, the other profile would be able to use the same changed password.

2 Edge profiles can operate side by side, when you open another profile, the previous one isn't closed.

Edge uses Windows authentication to stop unauthorized users from accessing your passwords.

that's a security measure different than the rest of this topic. it's not related to any specific user Edge profile, it is to prevent contents of the computer (saved passwords in Edge, no matter which profile) from Other people that are not authorized to use the computer, the device itself. it's on a different layer.


@v-gapart 


@v-gapart wrote:

This is an interesting question and I am surprised it hasn't been addressed sooner.  Is this issue still present?

 

Gabriel


well yes, Edge is still using its built-in password manager and not using Windows credential manager.

but with the explanation in OP's post, I'm now convinced and see why it is the way it is.