10-29-2019 11:23 AM - edited 10-30-2019 08:18 AM
10-29-2019 11:23 AM - edited 10-30-2019 08:18 AM
The last blog post on Autofill in Microsoft Edge received several comments and inquiries from readers on Password Storage and Security. We understand this is a subject of great interest and concern to many – and therefore have responded to all queries in the form of this blog post dedicated solely to the subject of password security.
What are Password Managers? Why should you save your passwords in Microsoft Edge? Is it safe to store passwords in Microsoft Edge?
Passwords are among the most sensitive types of data online; we recognize this and hence have strong measures in place to protect them. Passwords saved to Microsoft Edge (v76 and later) are stored in the Password Manager. Here’s how a Password Manager helps improve your overall online security:
How are passwords stored? What types of security measures are in place to protect this data?
Passwords are stored encrypted on disk. The type of encryption is specific to the platform. For example:
While there are several measures in place to ensure the security of stored passwords users can further bolster your security by following good practices such as:
Will Microsoft Edge continue to use the Credential Manager for storing Passwords?
For a long time, Internet Explorer and Microsoft Edge (v18 and earlier) passwords were stored in the Credential Manager. However, the new Microsoft Edge (v76 and later) will no longer store Passwords in the Credential Manager. [Credential Manager is a dedicated Windows application that stores web account passwords from Microsoft’s two browsers and passwords for other Windows apps].
The new Microsoft Edge will store passwords in a different location (a separate dedicated folder inside the Application Data folder of the Microsoft Edge app); this folder will contain all your web passwords (in encrypted form, as described earlier. You can refer to the previous Autofill post for details on how to access and manage all your web credentials.
I’m worried about saving passwords to the browser and using Autofill because others could log into my accounts or see all my passwords.
There are primarily two categories of concerns raised with respect to Passwords and Autofill:
Both of these above concerns are fair. While passwords are stored encrypted at rest, within an active Windows session there are several ways in which passwords can be accessed by anyone who has access to the computer. Physically-local attacks are extremely hard to defend against in general. It is therefore important that you:
While it’s possible to do more than just this, even such simple steps go a long way in reducing exposure of your sensitive data. Read on for some more steps that can help you address some of these concerns and improve your password security.
How can I ensure that only I can access and use the passwords I’ve saved?
As suggested earlier, practices such as locking your computer and using separate OS login accounts are great ways to ensure that only you have access to your passwords and other sensitive data. However, there might be times when others need to access the web using your browser. In such cases, it could be beneficial to have additional authentication checks added to the regular Autofill workflow.
By default, Autofill feature works by filling your stored credentials automatically into web forms. If ever the need arises, you can disable this functionality by using the Fill on Account Select feature:
Does Autofill need multi-factor authentication to work? Are passwords visible right after I login to Windows OS (or macOS), or is additional authentication required?
Autofill by default does not need multi-factor authentication to work. Currently there is no multi-factor auth planned for Autofill feature. Microsoft Edge stores and auto-fills your passwords without needing any additional setup.
[Note: Two-factor authentication for your Microsoft Account (MSA) and Azure Active Directory (AAD) identities is something that we will begin testing soon. Enabling this will add an extra layer of protection to your signed-in Microsoft Edge ; you are encouraged to set-up 2FA as an additional safeguard for your account].
With regard to making passwords visible, passwords are always masked in the browser by default. This is to prevent ‘shoulder surfing’ – the possibility of someone looking over your shoulder seeing your passwords. To be able to view your passwords you need to re-authenticate (type your OS login password again) when prompted, to make sure it is the rightful owner requesting this. Once re-authentication is complete, the passwords can be viewed for a brief after which they become hidden again.
What about profiles and passwords? I have two profiles – one for work and another personal one. Are the passwords for these two stored separately? Can some of the passwords be shared between multiple profiles?
Passwords are segmented by User Profile. They are stored in a separate folder (one for each profile) and cannot be shared between different profiles. This is because profiles are designed to be independent and can have different identity attached to each. It is also for this reason, that sharing passwords between profiles is not possible.
However, there are ways in which passwords sharing or importing from one profile to another can be supported in a way that is safer for users. Options on this are being explored as of today. Further updates on this will be shared via future blog posts.
Can I export all my Passwords?
Yes, this feature is now available across channels. This process requires reauthentication, meaning you need to enter your OS authentication in order to confirm it’s the rightful owner asking for this.
We strongly recommend being extremely careful with the exported file and taking this step only if necessary.
I want Microsoft Edge to create a password for me when I’m signing into a new account
There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same.
Is the native browser Autofill disabled when a 3rd party password manager is installed?
This is true for certain password manager applications as of today. If an extension is provided permission to “Change your privacy-related settings”, and make itself the autofill provider for the browser.
What happens to my passwords and other personal data if I delete a channel (like Stable, Canary, Developer or Beta) but not personal data – will I get it back after re-installation?
If you choose to uninstall any particular Microsoft Edge Channel and not clear your browsing data, all your older data will reappear if you re-install the same Channel again. For example, on Windows you will get an option like the one shown below – do not select the checkbox if you don’t want to clear your browsing data.
However, we recommend turning on Sync (Settings > Profile > Sync) and letting sync roam your data across channels as the best way to ensure you never lose your data.
How can I bulk-delete all of my passwords?
You can go to Settings> Privacy and Services > Clear Browsing Data > Passwords to delete all passwords at once.
10-30-2019 04:52 AM
Thanks great article.
Please also add the option to "Suggest strong password" just like in Google chrome.
it's very great security feature and since our passwords will be automatically kept in Edge insider browser and synced to all of our devices, we won't need to bother remembering that long and strong password. :)
10-30-2019 06:40 AM - edited 10-30-2019 06:41 AM
@Elliot Kirk I miss a feature to sync my Edge's Passwords with a 3rd party apps on Android, like happens on Mozilla (With its app called LockWise) and Google (With its Google SmartLock).
For example: if I try to sign in on Netflix, I need to go to the Edge, passwords, copy manually and past on Netflix app. If I saved my passwords on Chrome, it'd be synced with Google SmartLock and I could sing in easily.
10-30-2019 07:13 AM
@HotCakeX There is mention of Strong Password Generator in the blogpost above. Re-posting that part below for easy reference:
"I want Microsoft Edge to create a password for me when I’m signing into a new account
There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same."
11-03-2019 02:14 PM - edited 11-03-2019 03:18 PM
May I suggest a little more than having Edge create a strong password which is an obvious feature that Edge should have. Create a way to import passwords from Google Chrome into Microsoft Edge.
Chrome Password feature locks people into Google's Browser when it suggests passwords that are hard to memorize, and promises to keep them safely. If you don't give people a way out of Chrome stranglehold on passwords, you'll NEVER get these people to use Edge!
Google is intently locking people into Chrome using subtle ways! They could provide password managers that are outside the browser like Last Pass and Firefox, but they made it inbuilt to lock you in their browser. You need to provide a way out of Google stranglehold.
Proposition for Ms Edge to win more users
I suggest that Edge should have an inbuilt or a bundled download accelerator like IDM as one it's greatest strength. Faster downloads will be a compelling reason for many people to switch to Chrome, it may win 40% of Chrome users within 2 yrs.
Google business model involves looking for products that people do not want to pay for, then they develop provide for free and monetize their data. Microsoft business model involves creating products that people would want, then look for a way to sell, however, Google business model has proven to eat into Microsoft revenues. Sales of Ms Office dropped when Google offered Google Docs for free.
In the spirit of Google's business model, I suggest that Microsoft build a free download accelerator and bundle it with Edge or make it inbuilt in Edge. We don't want to pay for download accelerators - provide it for free, win more users, monetize data. We have lots of PC's in our business, and we don't allow the installation of illegally downloaded software and we don't like paying for IDM for all these PC's. We would want everyone to have IDM but it just doesn't make any economic sense.
There's sufficient incentive for Microsoft to do develop a download accelerator, you want more people to use edge, and you want your ad revenues to keep swelling. There's a bigger pay off so it makes sense to commit resources to develop this. I am not sure if there will be antitrust issues, I know you have a dedicated legal team for that. The last time I checked, IDM extension had 10 Million users on Chrome Web store. Those who have downloaded IDM illegally and use the extension without installing directly from the store could be in the range of hundreds of millions. These people don't want to pay for IDM. Stop them from downloading illegal software that keeps failing every time the web changes, and it constantly needs an update, give them for free but have it deeply integrated into Microsoft ecosystem, then monetize their data - Fair trade!
Extensions to aid Microsoft Eco-system
Once you're done with building your browser, build an extension similar to Gmail Email Checker for providing notification for outlook.com emails. It's these little things that have kept us in Google Ecosystem. If you have 4 Gmail accounts and you want to keep tabs in all of them, Gmail Email Checker will provide you with notifications, you don't need to keep logging in and out of 4 accounts. They have deeply integrated this extension with Google ecosystem so that the moment you allow this extension to notify you of your email, it also logs you in Google search. This way, Google is able to know who is performing searches then show them ads, the logic being, if you want free Gmail, we will record what you search and show you ads, fair to me and to most people, there's no way around it.
Microsoft should also have an outlook notifier that is deeply integrated with it's ecosystem. If you want free email from Microsoft and you want to be notified of all your 8 - 10 mailboxes that we provide for you for free, then agree to let us log you in our browser, and sync your data to our servers then show you relevant ads based on this collected data. You can install an adblocker if you like.
Notifiers for outlook.com that have been developed by third parties have serious privacy issues, they claim to anonymize your data from commercial emails, they copy your data and emails to their servers and sell to advertisers. They tell you straight to the face and they have no shame. They think it's right to copy your emails.
Google has these little stuff that has hooked me into their ecosystem and I want to leave for Microsoft which has a better email, but I just can't leave - which is a loss for Microsoft and a win for Gmail with their Gmail ads. Microsoft, I know you're listening, don't give us any reason to leave Microsoft and go back to Google services.
11-05-2019 07:56 AM
11-06-2019 09:31 AM
We use LastPass Enterprise for password management for our employees. Is there anything in the pipeline that could replace this paid service? Sales, Admin, and Accounting departments have a shared group of passwords that I can assign them so they never see the actual password.
11-07-2019 12:03 PM
@Elliot Kirk This is all nice, but in a mobile first world majority of the time is not about browser passwords. It is about having capability to use the passwords to mobile apps too. So this is why we should not compare this feature to password managers, because they have much better and wider functionality.
11-07-2019 05:50 PM
@CLE_Robbie Our current Enterprise offerings include a centrally administered ability to Enable/Disable Autofill for each of the three data types - passwords, payments (cards) and personal info. Besides this, there's another set of policies that allow an organisation to classify website URLs as 'important' and prevent re-use of passwords used on those websites elsewhere.
It would be great to know more about what features (besides centralized password sharing and control) would be helpful to your organisation. Feel free to reply on the same thread, so others may also benefit from our discussion :)
11-08-2019 08:54 AM
- Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)
Please add re-authentication step here (at least ability to enable it in this case), just because all your arguments brokes when I press F12 and change input type from "password" to "text", what's the point to use window hello in "view saved passwords" when I can open the site and get the password with two clicks?
You need to implement master password (or use windows hello) when filling sensitive data, in other case it will be default non-secure non-usable browser autofill and everybody will use lastpass and other alternatives.
11-08-2019 09:30 AM
I'm pretty sure that I'm rather small in size compaired to others as I only have between 10-15 employees at any given time. About 10 of them are main positions with little to no turn over. However, it's those extra 5 that are always changing and that is why I would benefit from having one central location to house and maintain login credentials as I mentioned. When onboarding a new employee I would LOVE a platform that would enable me to create one login for them in one place. Then once I assign them to a department they would have everything they need to function throughout their day.
At the moment with LastPass, I have to monitor them in two places, not to mention pay per user.