Don’t use Microsoft Edge to save passwords

Microsoft Edge, just like any modern browser, comes with options to save account passwords when you enter them on websites.

Microsoft Edge displays a prompt at the bottom of the browser window whenever it recognizes a sign in to a service or website.

You may use it to save the password so that it is filled out automatically when you need to sign in to the site again.

Microsoft Edge saves the site, username and password when you select the yes option, and fills out login information automatically next time you open the sign in page.

Microsoft Edge saved passwords

microsoft edge save passwords

Microsoft Edge ships with options to manage the password saving behavior, and to list all sites passwords are saved for.

To access the options, do the following:

  1. Select the menu icon (three dots) in the upper right corner of the Edge interface, and select Settings from the menu.
  2. Scroll down until you find advanced settings, and click on the view advanced settings button.
  3. Scroll down to the privacy and services section.

microsoft edge offer to save passwords

You may flip the "offer to save passwords" switch from on to off to disable the password saving prompts and functionality.

A click on manage my saved passwords lists all saved accounts. Only the domain and username are displayed there.

You may click on the x-icon to delete an account, or click on it to edit the username or password. Edge displays a password field on that page, but does not reveal the saved password there.

edge change password

The Credential Manager

You may view the passwords in the Credential Manager, a Control Panel applet. The easiest way to open it is to tap on the Windows-key, type Credential Manager and select the result from the list that is returned.

credential manager

Each account is listed under web credentials. While you see the domain name and username only on that page, you may click on the down arrow next to it to display additional information about it.

Read also:  Don't use Microsoft's Security Update Guide (yet)

The password is encrypted, but you may click on the show link next to it to reveal it. This won't work right away though, as you are required to enter the Windows account password first to reveal the password.

show password

The issue

One could say that using the credential manager works similarly to using a master password in other browsers.

Anyone with access to the device would still need the account password to display the saved passwords in Microsoft Edge.

While that is the case for the Credential Manager, it is not the case for third-party programs such as Edge Password Manager.

The program pulls the information from the operating system, and may show the passwords in clear text without any form of protection that prevents this.

edge password manager

Anyone with access to the account can list all account passwords using the program.

One could say that this is not a problem if the PC is used alone, and if there is virtually no chance that someone else might access it.

Still, the issue exists and it may be exploited under certain circumstances.

The situation improves when extension support launches for Edge, as password managers such as Last Pass will be made available for the browser.

Additionally, you may use local password managers such as KeePass, and copy & paste to sign in to services. Obviously, you would have to turn off the password saving in Edge for that.

I have not tested yet if KeePass' global login shortcut works when you use Microsoft Edge.

Summary
Article Name
Don't use Microsoft Edge to save passwords
Description
Read on to find out why you may not want to save passwords in Microsoft's new Windows 10 operating system web browser Microsoft Edge.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail


Filed under:


Responses to Don’t use Microsoft Edge to save passwords

  1. Tom June 30, 2016 at 10:23 pm #

    So this is actually a deficiency in a third party program called “Edge Password Manager” and not the Edge browser itself.
    Misleading click bait heading.

    • Martin Brinkmann July 1, 2016 at 6:12 am #

      No, this is a issue in Microsoft Edge, as anyone can read out the passwords saved in the browser if they run the third-party program.

      • Anonymous July 1, 2016 at 6:59 am #

        So they need access to your pc, need to install the password program...thirdparty...then they get access to your passwords...gotcha. Ill let you try it from where you are at on my pc....now go.

      • Obi July 1, 2016 at 8:03 am #

        I'm not defending Edge, but the same "issue" is in _every password manager ever_. When you run 3rd party software all bets are off.

        But I guess Edge/IE users are the type of people who need to be reminded of this more than others, so in a way your post makes sense.

      • Martin Brinkmann July 1, 2016 at 8:11 am #

        You are right, other browsers show the same weakness.

      • Adam July 5, 2016 at 1:27 am #

        @Anonymous - an attacker doesn't need to have a physical access to your PC, there are plenty of viruses and malware which can be injected remotely. Unencrypted passwords are just unsafe, no matter which browser you use.

  2. Andrew June 30, 2016 at 10:24 pm #

    This is a flaw I think in all browsers. tbh, I don't get why there's some security to prevent people from running a program to get all the passwords. Like why aren't they encrypted somehow. Another example being Chrome. If you want to view you passwords, you have to put in your systems password... or you can just download ChromePass from Nirsoft and get them that way.

    • Obi July 1, 2016 at 8:08 am #

      It's not really a flaw, that's how Windows and most desktop OSs work by design. The passwords are either encrypted or usable. And if they're usable, they're visible to 3rd party software.

      The only way to prevent this would be some kind of sandboxing of 3rd party software on Windows, which would prevent access to passwords and other sensitive data.

  3. Tim June 30, 2016 at 10:39 pm #

    I'm not sure I follow, maybe I'm missing something? If you have control of a users PC to install 'Edge Password Manager', then it's already game over, the machine is compromised and really anything goes. If the user is using Keepass instead, then just recording their keystrokes would make it equally ineffective. Even with 'Enter Master Key on Secure Desktop' switched on in Keepass it won't help because if someone has control of the PC they can just turn that off.

    If anything, Edge could potentially be safer because in the keylogger scenario, the attacker would make off with the entire Keepass database file and master password. However, if as you say in the article, passwords stored in Credential Manager are encrypted, then if they're strong passwords, 'Edge Password Manager' will come up with no plain text results for those hashed passwords when it tries to look them up. No?

    I think it's about time the FIDO alliance got their stuff together so we can get rid of the pain that are passwords altogether.

    • Martin Brinkmann July 1, 2016 at 6:10 am #

      You are right that the battle is lost already if someone manages to gain system access. Still, I think that this is an issue that does not need to be there. Think about homes where the same user account is used by everyone, or where people don't mind handing over their PC, tablet or laptop to someone else.

      Edge Password Manager reveals the passwords directly, without requiring the user account password.

      • Barlo July 1, 2016 at 8:30 am #

        Simple. Don't run as admin and anyone you hand your system to won't be able to install 3rd party tools. People should be logged in most of the time as a standard user.

      • Martin Brinkmann July 1, 2016 at 9:25 am #

        I understand that, but the reality is that many Windows users don't use standard user accounts.

  4. Lorenzo June 30, 2016 at 10:53 pm #

    Edge? Windows? Avoid those two and all problems are solved ;)

    • Tim June 30, 2016 at 11:05 pm #

      How so? Don't you use passwords on anything else?

    • JoeHTH July 1, 2016 at 4:30 am #

      Don't listen to this idiot. Windows 10 is great and Edge is very good. At least it doesn't crash half a dozen times a day like Firefox, nor does it track everything like Chrome.

      • harushi July 1, 2016 at 7:06 am #

        Your Firefox crash a dozen times a day? You should buy a new computer

      • Dave July 1, 2016 at 11:23 am #

        WOW, you seem to be a "windows 10 target audience" type of person... and that as bad as an insult can get...

      • DRI July 1, 2016 at 1:11 pm #

        idiot.....Windows 10.....track everything like Chrome

        Hmmm

      • T J July 1, 2016 at 6:06 pm #

        @ JoeHTH

        I use Cyberfox. It NEVER crashes !!!

        "Windows 10 is great and Edge is very good"

        I'm still waiting for the final release version of Win 10. All releases to date have been Alpha, Beta or fixes for said Alpha/Beta.

        Edge. Where are the addons and extensions !

  5. Kreygasm July 1, 2016 at 9:51 am #

    I wonder if someone that actually uses Internet Explorer Edge will read this article.

  6. Dave July 1, 2016 at 11:22 am #

    No worries. I would not wipe my toilet seat with Microsoft Edge ...

  7. Mystique July 1, 2016 at 12:42 pm #

    Firefox does not crash half a dozen times here and if you are fit enough to run edge then you are cable enough of downloading the correct version of Firefox and have sufficient ram to meet your needs. If you exceed your rams capacity you are bound to have issues with any browser or software.
    Also if you have edge then its likely you have windows 10 in which case you are having your data mined and are being tracked thus I can only assume that your point is moot.

    Whilst this is not the best article on Ghacks it does illustrate a rather obvious point and that is that your data is not safe and one should not go allowing just about anyone to work on your computer or login to your accounts in just about anyone's computer.
    Passwords are not safe but I am yet to see a viable option which is not invasive and violate ones privacy.
    Microsoft and the US have created a great deal mistrust and I do not feel safe divulging any additional personal data to any unknown source beyond what I already do.

    Local files can be stolen and/or cracked so if we are to assume that we had some sort of unique magic cookie of sorts to replace the password then we must accept that it will be stolen at some point and become just as vulnerable as a password.

    • Pants July 1, 2016 at 4:34 pm #

      Please send your fingerprints, iris scans, photos of your face (please do not wear glasses and make sure to smile), and voice analytics, to [insert company name here], c/o The Worldwide Database for Law Enforcement and Terrorism FUD. Bonus points for providing biometrics for walking gaits, DNA, earprints, body dimensions, and first new-born baby souls (1 point per soul).

      • T J July 1, 2016 at 6:09 pm #

        @ Pants

        You left out foot/toe prints and shoe size. :-)

  8. AP July 1, 2016 at 3:57 pm #

    The same issue exists in IE, and other browsers too... http://www.nirsoft.net/utils/web_browser_password.html

    • Soy July 1, 2016 at 4:55 pm #

      I'm surprised! I have Firefox password viewer but I don't know there's 'all-in-one' password viewer..

  9. jasray July 1, 2016 at 5:17 pm #

    Rather naive--try ReCall

    http://keit.co/p/recall/

    Great tool!

    recALL allows you to quickly recover passwords from more than 270 programs (email, web browsers, instant messengers, FTP clients, wireless, etc.) and license keys from more than 2,800 applications. recALL the world's first program that allows you to recover the majority of passwords and also licenses from damaged operating systems through native support of the registry files from the system Windows.
    Thanks to the unique feature of emulation FTP, POP3 and SMTP can recover passwords from any application supporting these protocols, even if the program is not yet supported inrecALL.

    All functions in one program.

  10. Gullible One July 3, 2016 at 11:51 pm #

    I have No Things to Hide, So Who Cares.

Leave a Reply