14 DAY TRIAL // I don’t know about you, but I use unique passwords for all my accounts, and absolutely all passwords use a highly complex 18-character combination that would be a nightmare to crack.
Obviously, I’m using a password manager for the whole thing, as this is pretty much the only way to handle a great number of passwords of such a high complexity.
As a modern browser, Microsoft Edge comes with a password manager of its own, so if you’re using this application to browse the web, you can securely store your account without the need for a third-party alternative.
In other words, whenever you go to Microsoft.com, you can allow Microsoft Edge to remember your credentials and always be assured that your data is secure.
How it does that? Here are three things that you must know.
AES-encrypted passwords stored on disks
Microsoft Edge doesn’t upload the passwords to a server, as they are stored locally and encrypted using AES.
The only way for an attacker to compromise your passwords is to break into your computer and still your account’s passwords, in which case it already has access to everything on the device. On the other hand, even if the attacker obtains the admin password, it can’t access the passwords stored in a different Edge account because the method requires the user to be logged in to decrypt the credentials.
“Microsoft Edge stores passwords encrypted on disk. They're encrypted using AES and the encryption key is saved in an operating system (OS) storage area. This technique is called local data encryption. Although not all of the browser’s data is encrypted, sensitive data such as passwords, credit card numbers, and cookies are encrypted when they are saved. The Microsoft Edge password manager encrypts passwords so they can only be accessed when a user is logged on to the operating system. Even if an attacker has admin rights or offline access and can get to the locally stored data, the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in,” Microsoft explains.
Extensions can still read your passwords
While Microsoft Edge itself protects your passwords from attackers, a compromised extension can still expose your credentials.
This is because a browser add-on that is allowed to read what’s on a page can also read the auto-filled password, in which case it can transfer the credentials to a remote server. The difference, however, is that only a specific set of username and password is exposed – for the page that the extension can read.
Needless to say, this is the reason to always install extensions from trusted sources.
No need for a master password
The big difference between the Microsoft Edge password manager and a stand-alone application is that the latter comes with a master password.
This obviously adds another security layer that makes it harder for attackers to break in, but Microsoft says that such a feature doesn’t make sense in a browser. Especially from a convenience perspective, that is, as users would have to provide the master password every time they want the data to be automatically filled in.
“A Master Password feature (that authenticates the user before auto-filling their data) provides a trade-off in convenience for broader threat mitigation. Specifically, it helps to reduce the window of data exposure against latent malware or physically local attackers. However, a Master Password is not a panacea, and local attackers and dedicated malware have various strategies for circumventing the protection of a Master Password,” the company explains.