Autofill Blog #2: Password Security

Microsoft

The last blog post on Autofill in Microsoft Edge received several comments and inquiries from readers on Password Storage and Security. We understand this is a subject of great interest and concern to many – and therefore have responded to all queries in the form of this blog post dedicated solely to the subject of password security.

 

What are Password Managers? Why should you save your passwords in Microsoft Edge? Is it safe to store passwords in Microsoft Edge?

Passwords are among the most sensitive types of data online; we recognize this and hence have strong measures in place to protect them. Passwords saved to Microsoft Edge (v76 and later) are stored in the Password Manager. Here’s how a Password Manager helps improve your overall online security:

  1. Convenient, Reliable & Secure: A Password Manager allows you to use strong and unique passwords for each one of your internet accounts without the burden of having to remember them – the Password Manager saves and remembers all your passwords. Using a browser-based Password Manager is among the most convenient, secure and reliable ways of storing Passwords (as opposed to relying on human memory or other manual alternatives); the latter methods can often lead to bad password practices such as using easy-to-guess passwords, or re-using the same password across different accounts.
  2. Protection against Phishing: The Password Manager recognizes web forms by storing and remembering a unique digital signature for each form. It uses this signature to fill in the right username and password for the respective website. In the instance that a Phishing (when a bad actor creates a fake website that looks same as the original) website or form is encountered, the Password Manager will act as a phishing defense as it won’t fill in the username or password for this as the form signature won’t match with the original, thereby protecting you and your online account.

 

How are passwords stored? What types of security measures are in place to protect this data?

Passwords are stored encrypted on disk. The type of encryption is specific to the platform. For example:

  • On Windows, passwords are encrypted using the Data Protection API. This ties your passwords to your OS user account, meaning they are encrypted using a key that can only be accessed by processes running as the same logged-on user. These passwords get decrypted and are available for use only after you log into Windows
  • On macOS, credentials are stored in "Login Data" in the Microsoft Edge users’ profile directory. They are also encrypted on disk with a key that is then stored in the user's Keychain

While there are several measures in place to ensure the security of stored passwords users can further bolster your security by following good practices such as:

  • Ensuring that you log out of your OS session once your work is done
  • Installing applications and extensions only from trusted sources

 

Will Microsoft Edge continue to use the Credential Manager for storing Passwords?

For a long time, Internet Explorer and Microsoft Edge (v18 and earlier) passwords were stored in the Credential Manager. However, the new Microsoft Edge (v76 and later) will no longer store Passwords in the Credential Manager. [Credential Manager is a dedicated Windows application that stores web account passwords from Microsoft’s two browsers and passwords for other Windows apps].

The new Microsoft Edge will store passwords in a different location (a separate dedicated folder inside the Application Data folder of the Microsoft Edge app); this folder will contain all your web passwords (in encrypted form, as described earlier. You can refer to the previous Autofill post for details on how to access and manage all your web credentials.

 

I’m worried about saving passwords to the browser and using Autofill because others could log into my accounts or see all my passwords.

There are primarily two categories of concerns raised with respect to Passwords and Autofill:

  1. Autofill related: That anyone can access (accidentally or intentionally) any of your online accounts via the password autofill functionality
  2. Access Passwords directly: That someone would be able to steal (or at least take a look at) all your passwords as they are stored in a single location

Both of these above concerns are fair. While passwords are stored encrypted at rest, within an active Windows session there are several ways in which passwords can be accessed by anyone who has access to the computer. Physically-local attacks are extremely hard to defend against in general. It is therefore important that you:

  • Lock or log out of your OS once your work is done or you’re away from your device
  • Use separate OS login accounts if the device is shared among multiple people.

While it’s possible to do more than just this, even such simple steps go a long way in reducing exposure of your sensitive data. Read on for some more steps that can help you address some of these concerns and improve your password security.

 

How can I ensure that only I can access and use the passwords I’ve saved?

As suggested earlier, practices such as locking your computer and using separate OS login accounts are great ways to ensure that only you have access to your passwords and other sensitive data. However, there might be times when others need to access the web using your browser. In such cases, it could be beneficial to have additional authentication checks added to the regular Autofill workflow.

  • Master Password: This term describes a functionality which requires re-authentication each time before passwords are filled into a website, thereby adding an additional layer of privacy to your account. Many users have long requested this functionality and we will be experimenting with some potential solutions in this space soon.

By default, Autofill feature works by filling your stored credentials automatically into web forms. If ever the need arises, you can disable this functionality by using the Fill on Account Select feature:

  • Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)

clipboard_image_0.png

 

Does Autofill need multi-factor authentication to work? Are passwords visible right after I login to Windows OS (or macOS), or is additional authentication required?

Autofill by default does not need multi-factor authentication to work. Currently there is no multi-factor auth planned for Autofill feature. Microsoft Edge stores and auto-fills your passwords without needing any additional setup.

[Note: Two-factor authentication for your Microsoft Account (MSA) and Azure Active Directory (AAD) identities is something that we will begin testing soon. Enabling this will add an extra layer of protection to your signed-in Microsoft Edge ; you are encouraged to set-up 2FA as an additional safeguard for your account].

With regard to making passwords visible, passwords are always masked in the browser by default. This is to prevent ‘shoulder surfing’ – the possibility of someone looking over your shoulder seeing your passwords. To be able to view your passwords you need to re-authenticate (type your OS login password again) when prompted, to make sure it is the rightful owner requesting this. Once re-authentication is complete, the passwords can be viewed for a brief after which they become hidden again.

 

What about profiles and passwords? I have two profiles – one for work and another personal one. Are the passwords for these two stored separately? Can some of the passwords be shared between multiple profiles?

Passwords are segmented by User Profile. They are stored in a separate folder (one for each profile) and cannot be shared between different profiles. This is because profiles are designed to be independent and can have different identity attached to each. It is also for this reason, that sharing passwords between profiles is not possible.

However, there are ways in which passwords sharing or importing from one profile to another can be supported in a way that is safer for users. Options on this are being explored as of today. Further updates on this will be shared via future blog posts.

 

Can I export all my Passwords?

Yes, this feature is now available across channels. This process requires reauthentication, meaning you need to enter your OS authentication in order to confirm it’s the rightful owner asking for this.

  1. You can export passwords by following the below steps:
    Go to Settings > Profile > Passwords and clicking on the ‘More Menu’ at the start of the table.
  2. You will then get a dialog asking you to confirm this decision. clipboard_image_2.png
  3. Finally, reauthenticate yourself when the dialog appears, and the file will get exported

We strongly recommend being extremely careful with the exported file and taking this step only if necessary.

 

I want Microsoft Edge to create a password for me when I’m signing into a new account

There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same.

 

Is the native browser Autofill disabled when a 3rd party password manager is installed?

This is true for certain password manager applications as of today. If an extension is provided permission to “Change your privacy-related settings”, and make itself the autofill provider for the browser.

 

What happens to my passwords and other personal data if I delete a channel (like Stable, Canary, Developer or Beta) but not personal data – will I get it back after re-installation?

If you choose to uninstall any particular Microsoft Edge Channel and not clear your browsing data, all your older data will reappear if you re-install the same Channel again. For example, on Windows you will get an option like the one shown below – do not select the checkbox if you don’t want to clear your browsing data.

clipboard_image_0.png

However, we recommend turning on Sync (Settings > Profile > Sync) and letting sync roam your data across channels as the best way to ensure you never lose your data.

 

How can I bulk-delete all of my passwords?

You can go to Settings> Privacy and Services > Clear Browsing Data > Passwords to delete all passwords at once.

clipboard_image_1.png

58 Replies

@Elliot Kirk 

Thanks great article.

Please also add the option to "Suggest strong password" just like in Google chrome.


it's very great security feature and since our passwords will be automatically kept in Edge insider browser and synced to all of our devices, we won't need to bother remembering that long and strong password. :)

@Elliot Kirk I miss a feature to sync my Edge's Passwords with a 3rd party apps on Android, like happens on Mozilla (With its app called LockWise) and Google (With its Google SmartLock).

 

For example: if I try to sign in on Netflix, I need to go to the Edge, passwords, copy manually and past on Netflix app. If I saved my passwords on Chrome, it'd be synced with Google SmartLock and I could sing in easily.

20191030_103847.jpg

@HotCakeX There is mention of Strong Password Generator in the blogpost above. Re-posting that part below for easy reference:

"I want Microsoft Edge to create a password for me when I’m signing into a new account

There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same."

@vctgomes Thanks a lot for sharing your feedback. This is a fair expectation (autofill on mobile apps and websites) and we are looking into this.

Thanks :)

@Suhrid_Palsule You're welcome! I'm happy to help and see the Microsoft hear our feedbacks too :D

@Elliot Kirk 

May I suggest a little more than having Edge create a strong password which is an obvious feature that Edge should have. Create a way to import passwords from Google Chrome into Microsoft Edge.

 

Chrome Password feature locks people into Google's Browser when it suggests passwords that are hard to memorize, and promises to keep them safely. If you don't give people a way out of Chrome stranglehold on passwords, you'll NEVER get these people to use Edge!

 

Google is intently locking people into Chrome using subtle ways! They could provide password managers that are outside the browser like Last Pass and Firefox, but they made it inbuilt to lock you in their browser. You need to provide a way out of Google stranglehold.

 

Proposition for Ms Edge to win more users

I suggest that Edge should have an inbuilt or a bundled download accelerator like IDM as one it's greatest strength. Faster downloads will be a compelling reason for many people to switch to Chrome, it may win 40% of Chrome users within 2 yrs.

 

Google business model involves looking for products that people do not want to pay for, then they develop provide for free and monetize their data. Microsoft business model involves creating products that people would want, then look for a way to sell, however, Google business model has proven to eat into Microsoft revenues. Sales of Ms Office dropped when Google offered Google Docs for free.

 

In the spirit of Google's business model, I suggest that Microsoft build a free download accelerator and bundle it with Edge or make it inbuilt in Edge. We don't want to pay for download accelerators - provide it for free, win more users, monetize data. We have lots of PC's in our business, and we don't allow the installation of illegally downloaded software and we don't like paying for IDM for all these PC's. We would want everyone to have IDM but it just doesn't make any economic sense.

 

There's sufficient incentive for Microsoft to do develop a download accelerator, you want more people to use edge, and you want your ad revenues to keep swelling. There's a bigger pay off so it makes sense to commit resources to develop this. I am not sure if there will be antitrust issues, I know you have a dedicated legal team for that. The last time I checked, IDM extension had 10 Million users on Chrome Web store. Those who have downloaded IDM illegally and use the extension without installing directly from the store could be in the range of hundreds of millions. These people don't want to pay for IDM. Stop them from downloading illegal software that keeps failing every time the web changes, and it constantly needs an update, give them for free but have it deeply integrated into Microsoft ecosystem, then monetize their data - Fair trade!

 

Extensions to aid Microsoft Eco-system

Once you're done with building your browser, build an extension similar to Gmail Email Checker for providing notification for outlook.com emails. It's these little things that have kept us in Google Ecosystem. If you have 4 Gmail accounts and you want to keep tabs in all of them, Gmail Email Checker will provide you with notifications, you don't need to keep logging in and out of 4 accounts. They have deeply integrated this extension with Google ecosystem so that the moment you allow this extension to notify you of your email, it also logs you in Google search. This way,  Google is able to know who is performing searches then show them ads, the logic being, if you want free Gmail, we will record what you search and show you ads, fair to me and to most people, there's no way around it.

 

Microsoft should also have an outlook notifier that is deeply integrated with it's ecosystem. If you want free email from Microsoft and you want to be notified of all your 8 - 10 mailboxes that we provide for you for free, then agree to let us log you in our browser, and sync your data to our servers then show you relevant ads based on this collected data. You can install an adblocker if you like.

 

Notifiers for outlook.com that have been developed by third parties have serious privacy issues, they claim to anonymize your data from commercial emails, they copy your data and emails to their servers and sell to advertisers. They tell you straight to the face and they have no shame. They think it's right to copy your emails.

 

Google has these little stuff that has hooked me into their ecosystem and I want to leave for Microsoft which has a better email, but I just can't leave - which is a loss for Microsoft and a win for Gmail with their Gmail ads. Microsoft, I know you're listening, don't give us any reason to leave Microsoft and go back to Google services. 

 

 

Thanks a lot, @Henry-Williams1889 for your detailed feedback! It's heartening to hear such helpful feedback directly from users. I have forwarded the same to the respective teams who work on downloads and Outlook. 

I am just wanting to say, GOOGLE EARTH DOESN"T WORK WITH EDGE-CHROMIMUM. MAKE IT THAT YOU CAN SIGIN IN ACCOUNT ON EDGE WITH GOOGLE ACCOUNT> WORK WITH GOOGLE EARTH-GOOGLE ACCOUNT

@Elliot Kirk I'm hoping to see a proper iOS/Android app for just password management that's integrated into Edge. I use Lastpass and it's fine, but nothing better than an integrated and secure solution.

Hi @Shyatic - we hear you! This is under consideration and you'll hear more about this in the weeks to come. Thanks a lot. :)

@Elliot Kirk 

 

We use LastPass Enterprise for password management for our employees.  Is there anything in the pipeline that could replace this paid service?  Sales, Admin, and Accounting departments have a shared group of passwords that I can assign them so they never see the actual password.  

@CLE_Robbie it would be pretty fantastic to have an enterprise ready tool that does password handouts resets much like the tools out on the market now. It would integrate well with 365 as a service both as a consumer and as an enterprise.

@Elliot Kirk This is all nice, but in a mobile first world majority of the time is not about browser passwords. It is about having capability to use the passwords to mobile apps too. So this is why we should not compare this feature to password managers, because they have much better and wider functionality. 

@CLE_Robbie Our current Enterprise offerings include a centrally administered ability to Enable/Disable Autofill for each of the three data types - passwords, payments (cards) and personal info. Besides this, there's another set of policies that allow an organisation to classify website URLs as 'important' and prevent re-use of passwords used on those websites elsewhere.

It would be great to know more about what features (besides centralized password sharing and control) would be helpful to your organisation. Feel free to reply on the same thread, so others may also benefit from our discussion :)

@CLE_Robbie  Sharing the links to the above described sets of policies.

1. Basic Autofill enable/ disable 

Enable/Disable Password autofill

Enable/Disable Payment autofill

Enable/Disable Address autofill

2. Password Protection policies - Link 

@Elliot Kirk 

  • Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)

 Please add re-authentication step here (at least ability to enable it in this case), just because all your arguments brokes when I press F12 and change input type from "password" to "text", what's the point to use window hello in "view saved passwords" when I can open the site and get the password with two clicks?

 You need to implement master password (or use windows hello) when filling sensitive data, in other case it will be default non-secure non-usable browser autofill and everybody will use lastpass and other alternatives.

@Suhrid_Palsule 

 

I'm pretty sure that I'm rather small in size compaired to others as I only have between 10-15 employees at any given time.  About 10 of them are main positions with little to no turn over.  However, it's those extra 5 that are always changing and that is why I would benefit from having one central location to house and maintain login credentials as I mentioned.  When onboarding a new employee I would LOVE a platform that would enable me to create one login for them in one place.  Then once I assign them to a department they would have everything they need to function throughout their day.

 

At the moment with LastPass, I have to monitor them in two places, not to mention pay per user.