Microsoft Edge imports other browsers’ passwords
By Brian Livingston
When some readers installed the new Microsoft Edge browser — which replaces the old “legacy Edge” — they got a big surprise. They discovered that Edge had somehow magically absorbed all the usernames and passwords they’d carefully saved in their previously installed browsers, such as Chrome, Firefox, Internet Explorer, and legacy Edge.
What’s even more surprising is that Edge — which until recently couldn’t import or export passwords at all — may be doing this new behavior by design.
The bad news is that you shouldn’t store passwords in Edge in the first place — or in any browser, really. This may allow other programs, including malware, to read passwords that are stored in machine-readable files. Please read on.
Install the new Edge, and it immediately knows all your passwords?
The password-vacuuming behavior described above occurred because of the following sequence of events, according to one reader:
He originally used Firefox 88 as his browser and enabled it to store the usernames and passwords for several websites. But he never set a “primary password” to encrypt the file where Firefox stored his credentials.He installed the new Edge. He later discovered that Edge had silently imported all his usernames and passwords that Firefox had previously stored. He says Edge never asked for his consent to copy the credentials.He installed Firefox 89 some time later but didn’t allow the Mozilla browser to copy any of his stored credentials. To his surprise, when he used Firefox 89 to visit websites where he’d previously signed in, Firefox asked whether it should import the credentials from Edge’s password file.
Figure 1 shows the dialog box the reader photographed with his phone. This yes-no query might be named “May I import the passwords from Edge that you didn’t know Edge already had a copy of?”
Figure 1. When Edge was installed, it copied the passwords that had been stored by an existing instance of Firefox, a reader claims. When a new version of Firefox was installed without copying any passwords, it asked the user whether it should sign in to sites such as Social Security by importing login credentials from Edge. (I’ve highlighted Firefox’s request with an orange box.) Source: Screen shot from reader’s smartphone
Other users have reported a similar sequence of events involving Edge and Chrome browser. In August, one poster said on the official Microsoft Answers forum for Edge:
I have no idea how this happened, but after updating my computer, Microsoft Edge opens up, which is normal I suppose, but they got my Google Chrome passwords and bookmarks without my consent …
Moderators quickly responded that Edge importing Chrome’s stored passwords without user approval “wasn’t very likely.” Edge is supposed to present the dialog box shown in Figure 2, asking whether to import or not import.
Figure 2. When Edge is installed, it’s supposed to present the user with a dialog box asking whether it can import saved passwords from whichever browser the user had previously used the most. Source: Microsoft Answers page
The history of Edge’s and other browsers’ stored passwords is a bit hard to follow. As recently as June 2020, users complained that Edge had an “export passwords” function but no ability to import passwords from other browsers at all.
Much later, on April 21, 2021 — just three months ago — users began reporting in Microsoft Answers posts that Edge had gained an import feature, but only in a private Insider Channels build and then only if a special command line were entered.
A long article, updated by a Microsoft Ambassador, finally describes on July 2 all
the ins and outs of how Edge stores and manages passwords.
Separately, an undated and unsigned Microsoft support document explains the rules Edge follows when it decides whether to copy a previously installed browser’s saved passwords:
If the new Edge is being installed, and it finds that the user’s most-often-used previous browser was legacy Edge, the new Edge copies all of legacy Edge’s passwords and data without asking the user for consent. (This sounds suspiciously like the behavior that some users reported about Edge when Chrome or Firefox was their installed browser.)If Edge finds a previously installed copy of Internet Explorer, Edge gives the user options to import saved passwords, favorites, browsing history, and other data types.If the previously installed browser is Chrome, Edge gives the user the option to import saved passwords, favorites, browsing history, and nine other data types (including saved credit-card numbers).If the previously installed browser is Firefox, Edge currently can import only four data types: saved passwords, favorites, browsing history, and addresses.Other browsers, such as Brave, Safari, Opera, and Tor are apparently not supported by Edge’s new import function.
Whew! That’s a lot to take in. But you don’t need to remember all of the above. All you need to remember is that most browsers store your saved passwords in an unsecure way that malware can silently copy and send to a hacker’s server.
Without a master password, storing your passwords is a bad idea
I urged my readers to establish a “master password” way back in a November 23, 2004, article, which remarkably is still online. Back then, the exciting new browser was Firefox 1.0. It was the only browser that allowed you to enter an overall string that would encrypt your saved passwords, protecting them from snoopy co-workers and hidden malware. IE certainly couldn’t protect you.
I can’t believe that almost 17 years later I still need to ask people to do this. Browsers should encrypt your saved passwords by default. But most don’t.
The German Federal Office for Information Security (BSI, in German) audited Edge 44, IE 11, Chrome 76, and Firefox 68 in September 2019. Firefox was the only browser that supported a master password. (Mozilla now calls this the “primary password.”) Chrome and Edge also lacked an option to block telemetry collection and provide organizational transparency.
As a result, BSI recommended that German agencies and businesses use only Firefox. For more information, see a ZDNet article and a Forbes summary.
As recently as April 9, 2021, a poster at the Microsoft Tech Community forum announced that a master-password feature had been spotted in a beta version of Edge. However, it’s only a “controlled feature,” meaning it’s not yet in wide distribution.
As of July 6, Microsoft’s official feature roadmap for Edge said: “Require authentication before auto-filling passwords.” The target date was given as April 2021, but the status of this feature was still described as “in development.”
I asked Microsoft officials how Edge handles saved passwords from other browsers. According to Microsoft, “Microsoft Edge does not directly pop-up or autofill data from other browsers. Instead, customers have the option to import their browsing data from other browsers to Microsoft Edge based on their interest and consent.”
Regarding reports that Edge had copied saved-password files from Chrome and Firefox without user approval, Microsoft’s statement said this: “The Edge password import feature is now enabled by default in all Microsoft Edge Channels. It can be found on the edge://settings/passwords page inside the Overflow Menu of the Saved Passwords table. Microsoft is looking into the reports you shared and monitoring feedback to improve customer password import experiences.”
There’s good news on whether Edge will soon allow users to enter a master password that would encrypt any username/password combinations that Edge saves. “Microsoft will offer this functionality closer to end of July. If you are on a shared device or have left your computer unlocked, you can opt to add a second verification using your device password to avoid others accessing your website credentials or auto-fill data.”
The statement added: “For more information on Microsoft Edge’s encryption method, please see this support doc: Microsoft Edge password manager security.”
When someone who really knows what Edge is doing with passwords becomes available, I’ll write more about it in this space.
That Microsoft support document states: “Microsoft security baselines recommend disabling the password manager.” The reason is that a computer worm that compromises a network of PCs could obtain all the passwords stored by every browser on the network.
For all the above reasons, I’m going to tell you now not to store passwords in browsers at all.
Storing passwords in your browser was never a good idea
Despite the precautions browsers may take, your usernames and passwords are prime targets for hackers. Your stored credentials may include the keys to your bank account, your credit union, your credit cards, and more.
The Mitre Att&ck website lists in Document T1555.003 more than 70 attack vectors that are currently circulating to scrape your passwords out of whatever files various browsers store them in. The security group also lists numerous exploits that hack into the old Windows Credential Manager and even some password managers, such as KeePass...
From the free version of "Ask Woody" e-mail news latter - 2021-07-12
Also available on their web page
askwoody.com |
