Don’t use Microsoft Edge to save passwords

Microsoft Edge, just like any modern browser, comes with options to save account passwords when you enter them on websites.

Microsoft Edge displays a prompt at the bottom of the browser window whenever it recognizes a sign in to a service or website.

You may use it to save the password so that it is filled out automatically when you need to sign in to the site again.

Microsoft Edge saves the site, username and password when you select the yes option, and fills out login information automatically next time you open the sign in page.

Microsoft Edge saved passwords

Microsoft Edge ships with options to manage the password saving behavior, and to list all sites passwords are saved for.

To access the options, do the following:

1. Select the menu icon (three dots) in the upper right corner of the Edge interface, and select Settings from the menu.
2. Scroll down until you find advanced settings, and click on the view advanced settings button.
3. Scroll down to the privacy and services section.

You may flip the "offer to save passwords" switch from on to off to disable the password saving prompts and functionality.

A click on manage my saved passwords lists all saved accounts. Only the domain and username are displayed there.

You may click on the x-icon to delete an account, or click on it to edit the username or password. Edge displays a password field on that page, but does not reveal the saved password there.

The Credential Manager

You may view the passwords in the Credential Manager, a Control Panel applet. The easiest way to open it is to tap on the Windows-key, type Credential Manager and select the result from the list that is returned.

Each account is listed under web credentials. While you see the domain name and username only on that page, you may click on the down arrow next to it to display additional information about it.

The password is encrypted, but you may click on the show link next to it to reveal it. This won't work right away though, as you are required to enter the Windows account password first to reveal the password.

The issue

One could say that using the credential manager works similarly to using a master password in other browsers.

Anyone with access to the device would still need the account password to display the saved passwords in Microsoft Edge.

While that is the case for the Credential Manager, it is not the case for third-party programs such as Edge Password Manager.

The program pulls the information from the operating system, and may show the passwords in clear text without any form of protection that prevents this.

Anyone with access to the account can list all account passwords using the program.

One could say that this is not a problem if the PC is used alone, and if there is virtually no chance that someone else might access it.

Still, the issue exists and it may be exploited under certain circumstances.

The situation improves when extension support launches for Edge, as password managers such as Last Pass will be made available for the browser.

Additionally, you may use local password managers such as KeePass, and copy & paste to sign in to services. Obviously, you would have to turn off the password saving in Edge for that.

I have not tested yet if KeePass' global login shortcut works when you use Microsoft Edge.