Like Firefox, Microsoft Edge has a password manager. How does it work ? What do you need to know about it. Here are the three things to know.
Online security requires the use of complex passwords. In addition, it is imperative for each account to use unique and long identifiers. Given these two recommendations, it becomes clear that using a password manager is the only way to manage such complexity.
As a so-called “modern” browser, Microsoft Edge comes with its own password manager. As a result, on the Internet it is no longer necessary to use a third-party application. The browser is able to store credentials securely. Thus, during a next connection, he can offer to fill in the necessary fields for you to identify himself.
Here are three things to know about it
The data is stored locally and above all it is encrypted.
Not all credentials saved by Microsoft Edge are uploaded to a server. Everything is stored locally and protected using AES encryption.
If a hacker wants to read this content, he will have to find a way to break into the PC. He will then have to find the administrator identifiers in order to have access to all the content. However, the case is more complex because he cannot access passwords stored in another Edge account. The method requires a connection to decrypt credentials.
Microsoft Edge stores encrypted passwords on disk. They are encrypted using AES and the encryption key is saved in an operating system (OS) storage area. This technique is called local data encryption. Although not all browser data is encrypted, sensitive data such as passwords, credit card numbers, and cookies are encrypted when stored.
The Microsoft Edge password manager encrypts passwords so that they can only be accessed when a user is logged into the operating system. Even if an attacker has administrator rights or offline access and can access locally stored data, the system is designed to prevent the attacker from obtaining the plain text passwords of a user who does not is not connected.
Passwords, extensions can read them
On the other hand, if the browser is designed to protect access to passwords, a compromised extension can still expose credentials. For example, an add-on authorized to read what is on a page can read and therefore save the password filled in automatically by the browser. In this case a data transfer can take place to a remote server. Hacking, however, only affects the page that is open and currently being viewed.
Faced with this risk, the best approach is to never install add-ons and extensions from unknown and untrusted sources.
Edge’s password manager does not use a password
Finally, unlike a standalone application, Microsoft Edge’s password manager does not use a master password. Clearly, it does not require an identifier to be able to access its content. According to Microsoft this makes sense in a browser mostly from a “convenience” point of view. Such a function would make filling in the fields non-automatic since the user would first have to provide the main password.
A master password feature (which authenticates the user before auto-filling their data) offers a handy compromise for broader threat mitigation. It reduces the data exposure window against latent malware or local attackers. However, a master password is not a panacea, and local attackers and dedicated malware have various strategies to circumvent the protection of a master password.