Microsoft has confirmed that a known security gap is being tolerated out of necessity rather than any secure intent: the sharing of a common password across users. From the pure security perspective, this is always seen as a big no-no whether the reason is managing social media accounts (and we've all seen those tumble after a password is compromised) or enabling a team to access a shared data repository. Now, following Microsoft's Ignite 2024 developer conference, the shared password security fix is in. Here's what you need to know.
The risky practice of sharing passwords can lead to unapproved users gaining access where they shouldn't and all the downstream security consequences that can bring. But, according to Lindsay Kubasik, the group product manager for Edge enterprise at Microsoft, writing after the annual Ignite developer conference, "secure password deployment in the Edge management service can help put an end to this."
Secure password deployment is coming soon, as across the months to come, for Microsoft 365 Business Premium, E3, and E5 subscriptions. The feature enables 365 admins to deploy encrypted passwords that can be shared among a configured set of users who will then be able to "log into websites seamlessly without ever seeing the actual passwords," Kubasik said, "reducing the risk of unauthorized access and enhancing your organization's overall security posture."
As far as consumer users of the Microsoft Edge browser are concerned the advice regarding shared passwords is simple: don't do it. While Microsoft enables secure storage of passwords for consumer users of the Edge browser, sharing is always a high-risk activity as it expands the threat surface. That said, Microsoft Edge encrypts stored passwords on disk, saved in a Windows operating system area. "Although not all of the browser's data is encrypted," Microsoft said, "sensitive data such as passwords, credit card numbers, and cookies are encrypted when they are saved."
This means that Edge will encrypt passwords which can then only be accessed by a logged-on user of the operating system. "Even if an attacker has admin rights or offline access and can get to the locally stored data," Microsoft said, "the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in."
Of course, if an attacker can access the user's operating system account password all bets are off. Which is why Microsoft, and other vendors, recommend the use of robust passwords and a password manager along with two-factor authentication as protection, or better still, the use of a passkey.