Don't use Microsoft Edge to save passwords
Microsoft Edge, just like any modern browser, comes with options to save account passwords when you enter them on websites.
Microsoft Edge displays a prompt at the bottom of the browser window whenever it recognizes a sign in to a service or website.
You may use it to save the password so that it is filled out automatically when you need to sign in to the site again.
Microsoft Edge saves the site, username and password when you select the yes option, and fills out login information automatically next time you open the sign in page.
Microsoft Edge saved passwords
Microsoft Edge ships with options to manage the password saving behavior, and to list all sites passwords are saved for.
To access the options, do the following:
- Select the menu icon (three dots) in the upper right corner of the Edge interface, and select Settings from the menu.
- Scroll down until you find advanced settings, and click on the view advanced settings button.
- Scroll down to the privacy and services section.
You may flip the "offer to save passwords" switch from on to off to disable the password saving prompts and functionality.
A click on manage my saved passwords lists all saved accounts. Only the domain and username are displayed there.
You may click on the x-icon to delete an account, or click on it to edit the username or password. Edge displays a password field on that page, but does not reveal the saved password there.
The Credential Manager
You may view the passwords in the Credential Manager, a Control Panel applet. The easiest way to open it is to tap on the Windows-key, type Credential Manager and select the result from the list that is returned.
Each account is listed under web credentials. While you see the domain name and username only on that page, you may click on the down arrow next to it to display additional information about it.
The password is encrypted, but you may click on the show link next to it to reveal it. This won't work right away though, as you are required to enter the Windows account password first to reveal the password.
The issue
One could say that using the credential manager works similarly to using a master password in other browsers.
Anyone with access to the device would still need the account password to display the saved passwords in Microsoft Edge.
While that is the case for the Credential Manager, it is not the case for third-party programs such as Edge Password Manager.
The program pulls the information from the operating system, and may show the passwords in clear text without any form of protection that prevents this.
Anyone with access to the account can list all account passwords using the program.
One could say that this is not a problem if the PC is used alone, and if there is virtually no chance that someone else might access it.
Still, the issue exists and it may be exploited under certain circumstances.
The situation improves when extension support launches for Edge, as password managers such as Last Pass will be made available for the browser.
Additionally, you may use local password managers such as KeePass, and copy & paste to sign in to services. Obviously, you would have to turn off the password saving in Edge for that.
I have not tested yet if KeePass' global login shortcut works when you use Microsoft Edge.
This article needs to be updated. Latest features with leak detection and automatic strong password generation make Edge password manager much more secure.
Question. Whilst im happy with Edge and credential manager encrypted support in Local Manager mode on my laptop… How does this work on my android mobile device which is synced with my account across both devices.. are the passwords still encrypted and inaccessible from my mobile?
Why are some passwords saved in Edge different from those saved in Credential Manager? I don’t understand how they (Edge and Credential Manager) differ. Thanks.
Perhaps your title should read don’t store passeowrds in any browser as they all suffer from the same flaw that the password has to be stored encrypted but has to cleartext it in order to use it. In contrast of Chrome,Firefox, and co the Credential manager can be password protected but als use other security measure (hello, face recognition etc.) that make it a much saver place. Chrome and Firefox even offer storing passwords in their “cloud” which offers no garantue against eve-droppers.
The best and most secure place to store your password is in your brain, after that Keepass and Windows credential managers (or Seahorse on Ubuntu). But never store your passwords in Chroma, Firefox or other browsers which are not made specifically with this in mind.
Helpful article but my biggest complaint about Edge password management is that when I log into a service and put the cursor focus in the Password field a plain text drop down list of all my different passwords pops up on screen. Since I often present to conferences and workshops (including recorded online workshops) the last thing I want is for everyone to be able to see a suite of password options for my accounts.
I have no idea what comment you want me to leave.
I have never been able to sign in to credit karma since I open the account what wrong with what I am doing
I have No Things to Hide, So Who Cares.
Rather naive–try ReCall
http://keit.co/p/recall/
Great tool!
recALL allows you to quickly recover passwords from more than 270 programs (email, web browsers, instant messengers, FTP clients, wireless, etc.) and license keys from more than 2,800 applications. recALL the world’s first program that allows you to recover the majority of passwords and also licenses from damaged operating systems through native support of the registry files from the system Windows.
Thanks to the unique feature of emulation FTP, POP3 and SMTP can recover passwords from any application supporting these protocols, even if the program is not yet supported inrecALL.
All functions in one program.
The same issue exists in IE, and other browsers too… http://www.nirsoft.net/utils/web_browser_password.html
I’m surprised! I have Firefox password viewer but I don’t know there’s ‘all-in-one’ password viewer..
Firefox does not crash half a dozen times here and if you are fit enough to run edge then you are cable enough of downloading the correct version of Firefox and have sufficient ram to meet your needs. If you exceed your rams capacity you are bound to have issues with any browser or software.
Also if you have edge then its likely you have windows 10 in which case you are having your data mined and are being tracked thus I can only assume that your point is moot.
Whilst this is not the best article on Ghacks it does illustrate a rather obvious point and that is that your data is not safe and one should not go allowing just about anyone to work on your computer or login to your accounts in just about anyone’s computer.
Passwords are not safe but I am yet to see a viable option which is not invasive and violate ones privacy.
Microsoft and the US have created a great deal mistrust and I do not feel safe divulging any additional personal data to any unknown source beyond what I already do.
Local files can be stolen and/or cracked so if we are to assume that we had some sort of unique magic cookie of sorts to replace the password then we must accept that it will be stolen at some point and become just as vulnerable as a password.
Please send your fingerprints, iris scans, photos of your face (please do not wear glasses and make sure to smile), and voice analytics, to [insert company name here], c/o The Worldwide Database for Law Enforcement and Terrorism FUD. Bonus points for providing biometrics for walking gaits, DNA, earprints, body dimensions, and first new-born baby souls (1 point per soul).
@ Pants
You left out foot/toe prints and shoe size. :-)
No worries. I would not wipe my toilet seat with Microsoft Edge …
I wonder if someone that actually uses Internet Explorer Edge will read this article.
Edge? Windows? Avoid those two and all problems are solved ;)
Don’t listen to this idiot. Windows 10 is great and Edge is very good. At least it doesn’t crash half a dozen times a day like Firefox, nor does it track everything like Chrome.
@ JoeHTH
I use Cyberfox. It NEVER crashes !!!
“Windows 10 is great and Edge is very good”
I’m still waiting for the final release version of Win 10. All releases to date have been Alpha, Beta or fixes for said Alpha/Beta.
Edge. Where are the addons and extensions !
idiot…..Windows 10…..track everything like Chrome
Hmmm
WOW, you seem to be a “windows 10 target audience” type of person… and that as bad as an insult can get…
Your Firefox crash a dozen times a day? You should buy a new computer
How so? Don’t you use passwords on anything else?
I’m not sure I follow, maybe I’m missing something? If you have control of a users PC to install ‘Edge Password Manager’, then it’s already game over, the machine is compromised and really anything goes. If the user is using Keepass instead, then just recording their keystrokes would make it equally ineffective. Even with ‘Enter Master Key on Secure Desktop’ switched on in Keepass it won’t help because if someone has control of the PC they can just turn that off.
If anything, Edge could potentially be safer because in the keylogger scenario, the attacker would make off with the entire Keepass database file and master password. However, if as you say in the article, passwords stored in Credential Manager are encrypted, then if they’re strong passwords, ‘Edge Password Manager’ will come up with no plain text results for those hashed passwords when it tries to look them up. No?
I think it’s about time the FIDO alliance got their stuff together so we can get rid of the pain that are passwords altogether.
You are right that the battle is lost already if someone manages to gain system access. Still, I think that this is an issue that does not need to be there. Think about homes where the same user account is used by everyone, or where people don’t mind handing over their PC, tablet or laptop to someone else.
Edge Password Manager reveals the passwords directly, without requiring the user account password.
Simple. Don’t run as admin and anyone you hand your system to won’t be able to install 3rd party tools. People should be logged in most of the time as a standard user.
I understand that, but the reality is that many Windows users don’t use standard user accounts.
This is a flaw I think in all browsers. tbh, I don’t get why there’s some security to prevent people from running a program to get all the passwords. Like why aren’t they encrypted somehow. Another example being Chrome. If you want to view you passwords, you have to put in your systems password… or you can just download ChromePass from Nirsoft and get them that way.
It’s not really a flaw, that’s how Windows and most desktop OSs work by design. The passwords are either encrypted or usable. And if they’re usable, they’re visible to 3rd party software.
The only way to prevent this would be some kind of sandboxing of 3rd party software on Windows, which would prevent access to passwords and other sensitive data.
So this is actually a deficiency in a third party program called “Edge Password Manager†and not the Edge browser itself.
Misleading click bait heading.
No, this is a issue in Microsoft Edge, as anyone can read out the passwords saved in the browser if they run the third-party program.
@Anonymous – an attacker doesn’t need to have a physical access to your PC, there are plenty of viruses and malware which can be injected remotely. Unencrypted passwords are just unsafe, no matter which browser you use.
I’m not defending Edge, but the same “issue” is in _every password manager ever_. When you run 3rd party software all bets are off.
But I guess Edge/IE users are the type of people who need to be reminded of this more than others, so in a way your post makes sense.
You are right, other browsers show the same weakness.
So they need access to your pc, need to install the password program…thirdparty…then they get access to your passwords…gotcha. Ill let you try it from where you are at on my pc….now go.