The last blog post on Autofill in Microsoft Edge received several comments and inquiries from readers on Password Storage and Security. We understand this is a subject of great interest and concern to many – and therefore have responded to all queries in the form of this blog post dedicated solely to the subject of password security.

What are Password Managers? Why should you save your passwords in Microsoft Edge? Is it safe to store passwords in Microsoft Edge?

Passwords are among the most sensitive types of data online; we recognize this and hence have strong measures in place to protect them. Passwords saved to Microsoft Edge (v76 and later) are stored in the Password Manager. Here’s how a Password Manager helps improve your overall online security:

1. Convenient, Reliable & Secure: A Password Manager allows you to use strong and unique passwords for each one of your internet accounts without the burden of having to remember them – the Password Manager saves and remembers all your passwords. Using a browser-based Password Manager is among the most convenient, secure and reliable ways of storing Passwords (as opposed to relying on human memory or other manual alternatives); the latter methods can often lead to bad password practices such as using easy-to-guess passwords, or re-using the same password across different accounts.
2. Protection against Phishing: The Password Manager recognizes web forms by storing and remembering a unique digital signature for each form. It uses this signature to fill in the right username and password for the respective website. In the instance that a Phishing (when a bad actor creates a fake website that looks same as the original) website or form is encountered, the Password Manager will act as a phishing defense as it won’t fill in the username or password for this as the form signature won’t match with the original, thereby protecting you and your online account.

How are passwords stored? What types of security measures are in place to protect this data?

Passwords are stored encrypted on disk. The type of encryption is specific to the platform. For example:

• On Windows, passwords are encrypted using the Data Protection API. This ties your passwords to your OS user account, meaning they are encrypted using a key that can only be accessed by processes running as the same logged-on user. These passwords get decrypted and are available for use only after you log into Windows
• On macOS, credentials are stored in "Login Data" in the Microsoft Edge users’ profile directory. They are also encrypted on disk with a key that is then stored in the user's Keychain

While there are several measures in place to ensure the security of stored passwords users can further bolster your security by following good practices such as:

• Ensuring that you log out of your OS session once your work is done
• Installing applications and extensions only from trusted sources

Will Microsoft Edge continue to use the Credential Manager for storing Passwords?

For a long time, Internet Explorer and Microsoft Edge (v18 and earlier) passwords were stored in the Credential Manager. However, the new Microsoft Edge (v76 and later) will no longer store Passwords in the Credential Manager. [Credential Manager is a dedicated Windows application that stores web account passwords from Microsoft’s two browsers and passwords for other Windows apps].

The new Microsoft Edge will store passwords in a different location (a separate dedicated folder inside the Application Data folder of the Microsoft Edge app); this folder will contain all your web passwords (in encrypted form, as described earlier. You can refer to the previous Autofill post for details on how to access and manage all your web credentials.

I’m worried about saving passwords to the browser and using Autofill because others could log into my accounts or see all my passwords.

There are primarily two categories of concerns raised with respect to Passwords and Autofill:

1. Autofill related: That anyone can access (accidentally or intentionally) any of your online accounts via the password autofill functionality
2. Access Passwords directly: That someone would be able to steal (or at least take a look at) all your passwords as they are stored in a single location

Both of these above concerns are fair. While passwords are stored encrypted at rest, within an active Windows session there are several ways in which passwords can be accessed by anyone who has access to the computer. Physically-local attacks are extremely hard to defend against in general. It is therefore important that you:

• Lock or log out of your OS once your work is done or you’re away from your device
• Use separate OS login accounts if the device is shared among multiple people.

While it’s possible to do more than just this, even such simple steps go a long way in reducing exposure of your sensitive data. Read on for some more steps that can help you address some of these concerns and improve your password security.

How can I ensure that only I can access and use the passwords I’ve saved?

As suggested earlier, practices such as locking your computer and using separate OS login accounts are great ways to ensure that only you have access to your passwords and other sensitive data. However, there might be times when others need to access the web using your browser. In such cases, it could be beneficial to have additional authentication checks added to the regular Autofill workflow.

• Master Password: This term describes a functionality which requires re-authentication each time before passwords are filled into a website, thereby adding an additional layer of privacy to your account. Many users have long requested this functionality and we will be experimenting with some potential solutions in this space soon.

By default, Autofill feature works by filling your stored credentials automatically into web forms. If ever the need arises, you can disable this functionality by using the Fill on Account Select feature:

• Fill on Account Select (FoAS): This feature (available via edge://flags, see below) enables stored credentials from getting Autofill-ed into Username and Password fields. The way it works is that instead of injecting your stored username and password directly into a website, the browser now requires an additional confirmation from you before this data is passed onto the website. (How this differs from the Master Password feature described previously is that FoAS does not involve an additional re-authentication step.)

Does Autofill need multi-factor authentication to work? Are passwords visible right after I login to Windows OS (or macOS), or is additional authentication required?

Autofill by default does not need multi-factor authentication to work. Currently there is no multi-factor auth planned for Autofill feature. Microsoft Edge stores and auto-fills your passwords without needing any additional setup.

[Note: Two-factor authentication for your Microsoft Account (MSA) and Azure Active Directory (AAD) identities is something that we will begin testing soon. Enabling this will add an extra layer of protection to your signed-in Microsoft Edge ; you are encouraged to set-up 2FA as an additional safeguard for your account].

With regard to making passwords visible, passwords are always masked in the browser by default. This is to prevent ‘shoulder surfing’ – the possibility of someone looking over your shoulder seeing your passwords. To be able to view your passwords you need to re-authenticate (type your OS login password again) when prompted, to make sure it is the rightful owner requesting this. Once re-authentication is complete, the passwords can be viewed for a brief after which they become hidden again.

What about profiles and passwords? I have two profiles – one for work and another personal one. Are the passwords for these two stored separately? Can some of the passwords be shared between multiple profiles?

Passwords are segmented by User Profile. They are stored in a separate folder (one for each profile) and cannot be shared between different profiles. This is because profiles are designed to be independent and can have different identity attached to each. It is also for this reason, that sharing passwords between profiles is not possible.

However, there are ways in which passwords sharing or importing from one profile to another can be supported in a way that is safer for users. Options on this are being explored as of today. Further updates on this will be shared via future blog posts.

Can I export all my Passwords?

Yes, this feature is now available across channels. This process requires reauthentication, meaning you need to enter your OS authentication in order to confirm it’s the rightful owner asking for this.

1. You can export passwords by following the below steps:
   Go to Settings > Profile > Passwords and clicking on the ‘More Menu’ at the start of the table.
2. You will then get a dialog asking you to confirm this decision.
3. Finally, reauthenticate yourself when the dialog appears, and the file will get exported

We strongly recommend being extremely careful with the exported file and taking this step only if necessary.

I want Microsoft Edge to create a password for me when I’m signing into a new account

There is certainly value in being able to simply select a browser-generated password, as opposed to creating a new one each time from memory. We believe a good Password Generator should offer strong, high-entropy passwords that also appeal to users. This double-objective also serves as the bar for bringing this feature into Microsoft Edge. We have heard your request for this feature and are working on solutions for the same.

Is the native browser Autofill disabled when a 3^rd party password manager is installed?

This is true for certain password manager applications as of today. If an extension is provided permission to “Change your privacy-related settings”, and make itself the autofill provider for the browser.

What happens to my passwords and other personal data if I delete a channel (like Stable, Canary, Developer or Beta) but not personal data – will I get it back after re-installation?

If you choose to uninstall any particular Microsoft Edge Channel and not clear your browsing data, all your older data will reappear if you re-install the same Channel again. For example, on Windows you will get an option like the one shown below – do not select the checkbox if you don’t want to clear your browsing data.

However, we recommend turning on Sync (Settings > Profile > Sync) and letting sync roam your data across channels as the best way to ensure you never lose your data.

How can I bulk-delete all of my passwords?

You can go to Settings> Privacy and Services > Clear Browsing Data > Passwords to delete all passwords at once.