Windows credential manager and Edge password manager
I want to suggest to sync passwords saved in Edge with Windows credential manager in order for them to be accessible to all other apps and programs in Windows and also operate as a system wide password manager. Windows credential manager stores passwords from Internet explorer and legacy Edge but not the new Edge browser, the link is broken and the two components don't talk to each other anymore. the problem at the moment is that some passwords are stored in my Edge browser password manager, some others are stored in Windows credential manager by other apps, If i want to change password of a website, I have to manually update it in both places. also the apps i use on Windows 10 only talk to Windows credential manager and they don't use Edge password manager, so this creates the need to save password in 2 places and duplicate them. Such a great secure encrypted native feature in Windows that is rarely paid attention to. this is the system-wide password manager of Windows, just like the one in Android and Mac.Introducing Edge Master Password | New feature
it's this feature: it's controlled feature rollout available in Edge canary, was added few versions ago. this helps your passwords stay safe, by requiring you to enter your Windows Pin/Password when you want to autofill your credentials on a web page. using the same strong authentication method Windows uses to secure your login screen, secure your disks pre-logon etc. next in line is this I'm already seeing some bits of it in Edge canary, but not fully implemented just yet.Saved Passwords in Edge are now available to All apps on Mobile - System Wide Password Manager
I've been using Microsoft Authenticator Beta app for a while on my Android phone, today I received an update and now the app works as a system-wide password manager (Password filler), for all websites and apps. This should work on IOS too. Links to Google play https://play.google.com/store/apps/details?id=com.azure.authenticator&hl=en_US&gl=US And App store. https://apps.apple.com/us/app/microsoft-authenticator/id983156458 (remember you have to enroll in Beta for now until this is rolled out to the public) Q: How are my passwords protected by the Authenticator app? A: Authenticator app already provides a high level of security for multi-factor authentication and account management, and the same high security bar is also extended to managing your passwords. More info, Q&A and explanation here: https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-faq#autofill-for-consumersHow to view and manage your Microsoft passwords on Linux/Chrome/ChromeOS (Without Edge or mobile)
1. install Google Chrome (or other Chromium based browsers, including Edge itself) 2. install Microsoft Autofill extension 3. Sign into your Microsoft account in the extension 4. Access your Passwords safely and hassle-free * you do Not need to sign in to Google account for this. ** this works on Mac and Windows too, basically any environment where you can install this extension in. The extension also has Import feature, so you can import your passwords at once from a file and save them to your Microsoft account. Questions & answers about Microsoft Authenticator app - Azure AD | Microsoft Docs Q: How are my passwords protected by the Authenticator app? A: Authenticator app already provides a high level of security for multi-factor authentication and account management, and the same high security bar is also extended to managing your passwords. Strong authentication is needed by Authenticator app: Signing into Authenticator requires a second factor. This means that your passwords inside Authenticator app can't be accessed even if someone has your Microsoft account password. Autofill data is protected with biometrics and passcode: Before you can autofill password on an app or site, Authenticator requires biometric or device passcode. This ensures that even if someone else has access to your device, they cannot fill or see your password, as they’d be unable to provide the biometric or device PIN. Furthermore, a user cannot open the Passwords page unless they provide biometric or PIN, even if they turn off App Lock in app settings. Encrypted Passwords on the device: Passwords on device are encrypted, and encryption/decryption keys are never stored and always generated on-the-fly. Passwords are only decrypted when user wants to, that is, during autofill or when user wants to see the password, both of which require biometric or PIN. Cloud and network security: Your passwords on the cloud are encrypted and decrypted only when they reach your device. Passwords are synced over an SSL-protected HTTPS connection, which ensures no attacker can eavesdrop on sensitive data when it is being synced. We also ensure we check the sanity of data being synced over network using cryptographic hashed functions (specifically, hash-based message authentication code).Password Generation and Password Reveal are Not working
Password Generation and Password Reveal are Not working I've enabled this flag which was disabled by default: Show autofill signatures. Annotates web forms with Autofill signatures as HTML attributes. Also marks password fields suitable for password generation. – Mac, Windows #enable-show-autofill-signatures but that didn't change anything. there isn't any other flags left related to this issue to turn on. the reveal Icon does not appear in any password fields and also right-clicking on password fields does not offer an option to generate a strong password. Version 79.0.283.0 (Official build) canary (64-bit)New security feature: Passwords Length are now Hidden in Edge Password Manager
Microsoft Edge Version 83.0.474.0 (Official build) canary (64-bit) Now the Password Length is hidden in Edge browser's password manager: edge://settings/passwords Previously even if you couldn't see the characters, you could still see how long the password is: Now the Password Length is also hidden[Bug] Password manager exposes the password length and decrypts without a private key!
This is a security issue that is out in the wild, though I do not think it is that so severe that it poses a risk to mention it here. The page edge://settings/passwords allows the person in front of the computer to reveal passwords after they convince the browser about their ownership by entering their account's password, or their PIN on that device. That's cool! The problem is, it also displays their actual lengths of the passwords without any proof of ownership! The problem here is two fold: How, even? How is it even able to do that in the first place? I would expect the passwords to be encrypted in such ways that even the browser itself cannot decipher the passwords, nor their lengths, without the private key, which should have been a derivative of the credential that the user should be entering. A premature hint! Exposing the length of the password is too much of a hint to tell someone who hasn't yet provided their proof of ownership. The browser is reluctant to expose the password as a whole; it asks for an authentication before doing that. Then, why is the browser even giving this piece of hint out? To convince the person in front of the computer that it really has the actual password? Aesthetics? Just now I realized that the auto-fill somehow also enters my password in plain text to the websites, without asking any private key or sorts... I guess then being the person in front of an unlocked computer is enough to get the passwords deciphered (and entered via auto-fill). Then my question is in reverse: What is the point of keeping them censored on edge://settings/passwords at all, if we trust this person so much? Windows in and of itself does not trust so easily: Fire up the "Credential Manager" (type that onto Start menu search). It displays the censored passwords with the dummy length of 8 or something. They are revealed only after authentication. I hope that, without authentication, it does not decipher the passwords nor give them away either. Why does a the browser give in? Could you provide an option on edge://settings/passwords to let us choose to require authentication before auto-filling the passwords? Just like the one that pops up when you hit the "peek" button to reveal the passwords. I personally find the auto-fill as it is kind of insecure. I would rather enter my PIN every time I log in (with cookies, this doesn't happen so frequently anyway), than to have the equivalent of keeping my passwords in a passwords.txt that I hid deep in my Documents. Sincerely, Utkan
