Protecting your digital identity


We live in a world of usernames, passwords, and PINs when it comes to using our computing devices connected to the Internet. These are very important elements of the digital economy and providing the infrastructure for these in Windows is serious business. This work starts with the most basic step of signing in to Windows, and then includes the technologies used to secure the myriad of accounts you will come to use over time. In this post we take a look at the architectural improvements to Windows that enable even more secure management of your many passwords. Dustin Ingalls, the author of this post, is a group program manager on the security and identity team.

–Steven


One of the challenges that we spent a lot of time thinking about while planning Windows 8 was how to help you manage your digital identity in a way that is both convenient and secure. In today’s world, there are a number of very interesting details with respect to digital identities, how they are used, and how they are protected.

Currently, the most common way people verify their digital identity is by using a password. Passwords are used to sign in to your computer, to your bank, to web merchants, and lots of other places. Our research has shown us that the average person using a PC in the United States typically has about 25 online accounts.(1) That’s a lot to keep track of! In fact, the data also shows that the number of unique passwords across those 25 accounts is only about 6. For folks who spend time thinking about security, that’s a worrisome finding as it shows that the average person reuses the same password quite frequently across accounts. Additionally, given that different websites have different password policies (some require alphanumeric with special characters, some disallow special characters, some have minimum password lengths, some don’t, etc.), it’s likely that the number of unique passwords across accounts would be even lower if websites actually had the same password policies.

On the one hand, that’s completely understandable. Remembering a bunch of different passwords is difficult, especially for accounts that we don’t use frequently. On the other hand, password reuse is very useful to hackers…they know that if they can learn your password for one site, it’s highly likely that you use the same password on other sites. Even worse, an attacker can often use your sign-in information to reset the password for other accounts where the password actually is different. For example, if an attacker can somehow gain access to the password for one of your accounts, there’s a strong probability that you use the same password for one of your web email accounts. Given that there are only a handful of major web email providers, finding yours is often pretty easy. Once an attacker gains access to your email, they can go to other common sites (major banks, major online merchants, etc), and use the “lost password” functionality to send a password reset link to the email account that they’ve already taken over.

(As an aside, the Hotmail team has spent a great deal of effort in redesigning the password recovery process for Hotmail. There are many ways that “bad guys” attempt to compromise online accounts (from all providers) and Hotmail is no different. When your account becomes compromised (or you legitimately forget your password), we have in place a number of security steps to make sure that you, and only you, can restore your account. While these might seem inconvenient, consider the relatively small amount of information you provided in order to sign up. That’s why we encourage people to add either a secondary email account, or even better, a mobile phone number to their account information. The latter is especially hard to duplicate or hack. If you do find yourself with a compromised Hotmail account, you can reset your password. And for those of you using public terminals or untrusted environments to access Hotmail, we encourage you to use a single-use password sent to you via SMS.)

Clearly, the overall user name/password framework leads to a set of interesting challenges. We all want the web to be frictionless, easy, and safe. Having to remember a whole bunch of complex passwords generally isn’t perceived as frictionless. However, using the same easy-to-remember password across multiple sites isn’t safe. The ideal solution here involves somehow finding a way to make it both easy and safe to use all of your different digital identities.

In thinking through this challenge, there are two basic approaches to making it both easier and safer to manage your digital identity. One approach is to enable Windows to help you manage your passwords. If you could have complex, unique passwords for each website you visit without having to remember them all, that would certainly be easier than having one easy to remember password – at the same time, the complex password would make the business of compromising your identity much more difficult for hackers. Another approach is to use something other than a password to help protect and establish your identity. There have been a number of alternatives to passwords available for many years—technologies such as One Time Passwords (OTP), certificates, smart cards, etc. However, despite some of the superior security properties of these password alternatives, they haven’t exactly caught on for mainstream use—mostly because they’re just not as easy to use as a password.

With Windows 8, we provide support for both the safe storage of username/password combinations, and technology to support alternate authentication; that is, we try to make it easier for you to enhance the security of your passwords, and easier to use newer and stronger techniques for protecting your digital identity.

Shortcomings of passwords

There are a number of different methods that attackers use to try to obtain your password. The most common methods are:

Phishing. Phishing involves tricking a user into revealing their password directly to the attacker. Common forms of phishing include “please reset your account” emails that either ask you to send in your password, or link to a website that looks like a popular website and ask you to enter your password.

Guessing. Given people’s natural preference for easy to remember passwords, attackers can often gain access to an account by simply running through the top 10 or 20 passwords most commonly in use on the Internet. Attackers can also make use of public information (perhaps based on your public social networking profile) to find other easy to guess passwords based on things like your favorite sports team or favorite pet.

Cracking. In certain situations, an attacker can capture a snippet of data (usually the password’s hash value) and use it to derive your password. There are freely downloadable resources on the Internet that enable attackers to derive passwords less than 8 characters in length very quickly.

Keylogging. If an attacker can successfully install a keylogger on a device, they can record each time you hit a key on your keyboard, and therefore easily pick up name/password combinations. This is an especially common attack on public PCs or kiosks. (That’s why, for example, using the single use code instead of a password for Hotmail is a good idea in such situations!)

Improving the security and usability of passwords

There are a number of important steps you can take to help protect against all of these types of attacks. One of the most important steps is to keep your PC clean and free of malware (to help against phishing and keylogging). Windows 8 includes a number of substantial features in this area that we’ve already covered in prior blog posts (Secure Boot, SmartScreen and Windows Defender enhancements, etc). However, some attacks (like guessing and cracking) rely only on password strength, so it’s important to use strong, complex passwords that are unique to each account.

Windows 8 simplifies the task of managing unique and complex passwords in two important ways. The first is by providing a way to automatically store and retrieve multiple account names and passwords for all the websites and applications you use, and do so in a protected manner. Internet Explorer 10 uses the credentials that we store to remember names and passwords for websites you visit (if you choose). In addition, anyone building a Metro style app can use a direct API to securely store and retrieve credentials for that app. (It is important to note that IE respects instructions from websites about saving your credentials – some websites specifically request that passwords not be saved.)

Manage your credentials / View and delete your saved logon information for websites, connected applications and networks. / Web Credentials / Windows Credentials / [list of websites and their passwords]

Windows 8 allows you to securely store and manage all of your sign-in credentials

The second important investment in this area was covered in an earlier post by Katie Frigon, Signing into Windows 8 with a Windows Live ID. One of the great things you get when you sign in to Windows with your Windows Live ID is the ability to sync the credentials you’ve stored to all of the Windows 8 PCs that you register as your “Trusted PCs.”

When you store credentials in conjunction with signing in to Windows with your Windows Live ID, Windows enables you to set your password for each account to something that is both complex and unique; since Windows 8 will automatically submit the credential on your behalf, you’ll never need to remember it yourself. If you need to see the actual password at some point later, you can view it in the credential manager shown here, from any of your Trusted PCs.

The same principles that keep your credentials safer on websites and applications also apply to how you sign in to your PC. The password you use to protect the account on your PC must be resilient to guessing and cracking. Windows 8 helps with this, helping you to set a very strong password for sign-in, while at the same time enabling a number of “convenience” sign-in methods such as Picture Password and biometrics. This makes it easy to sign in to your PC, without sacrificing security. We will cover Picture Password and other sign-in methods in more detail in a future post.

It is worth reiterating that signing in to your PC with a Windows Live ID, in addition to making sign-in easier, also offers improved sign-in security and gives you a clear path to recovery if you forget your Windows password. With a local password, if you forget your password, you’re in a tough spot – if you didn’t create a password recovery USB stick, you’re stuck rebuilding your machine from scratch. However, if you sign in to your PC with a Windows Live ID, you can reset your password from another PC. If your Windows Live ID password was stolen somehow, you still have the benefit of a number of Windows Live safety features that are designed to detect compromise and limit your account usage until you can successfully prove that you are the rightful owner of your account and recover your account. The account recovery workflow leverages two-factor authentication features (secondary account proofs) that you set up earlier, such as a mobile phone number or secondary email address (if you haven’t already set these up, we’ll ask you for them the first time you use your Windows Live ID with Windows 8). Also, even if your Windows Live ID is in a compromised state, you will still have full access to your PC since Windows will cache your last “known good” sign-in password (encrypted, of course) and allow you to use that to continue to sign in.

Creating an easy to use alternative to passwords

While a complex and unique password can be highly resistant to guessing and cracking, because it is what we refer to as a “shared” or “symmetric” key, it is still always vulnerable to phishing and keylogging. Since the key is shared between you and whatever you are signing in to, if the attacker can somehow gain access to your secret key, the game is up. However, there are alternatives that offer strong protection against these types of attacks.

One alternative is public/private key pairs. Secure Sockets Layer or Transport Layer Security (SSL/TLS) certificates are an example of this – these are the most commonly used methods for protecting network traffic on the Internet today. Public/private key pairs differ from passwords in that they are an “asymmetric” key – the private key and the public key are different, and knowledge of the public key doesn’t enable the attacker to derive the private key. Put very simply, in a public/private key sign-in scheme, when you want to sign in to a service, the service sends you a sign-in request, you sign the request with your private key, and the service then uses your public key to read the signature, proving cryptographically that the sign-in request was signed by whomever holds the corresponding private key. This is referred to as “proof of possession”. So long as you haven’t lost your private key, there is strong cryptographic proof that you are the real account holder signing in to the service. Since the actual private key is never exchanged, both keylogging and phishing no longer work. There are no keystrokes to log; and worst case, if a user is tricked into using their private key to sign an authentication request for a fake website, nothing useful is provided—the bad guys can’t re-use this information to sign in to the legitimate website.

Although this technology is used extensively on the Internet today, it still hasn’t replaced conventional password sign-in. Why not? The main reason is that strong protection of a private key typically requires dedicated hardware (typical examples of this are hardware security modules (HSMs) and smart cards), and historically, use of such hardware hasn’t been very convenient— if you lose the hardware or don’t have it with you, you can’t sign in.

Windows 8 has a number of new features that make it much easier for both users and application developers to make use of public/private key methods. Windows already provides fairly extensive support for use of key pairs and certificates; but strong protection of the private key, as I mentioned earlier, typically relied on HSMs or smart cards. Windows 8 includes a new Key Storage Provider (KSP), which provides easy, convenient use of the Trusted Platform Module (TPM) as a way of strongly protecting private keys. A TPM is a trusted execution environment found on many business-class PCs today (and we expect much broader availability of TPMs when Windows 8 ships), which enables a PC to securely store cryptographic keys. Metro-style apps have APIs that make it easy to automatically enroll and manage keys on your behalf. The Windows Dev Center provides a sample banking app that shows developers how to use this API.

The KSP feature is particularly useful for banking and commerce applications, since it provides very strong resilience against the most common types of identity attacks on the Internet today while leveraging hardware inside your PC to prevent malware from stealing your private key.

For organizations and businesses that already use smart cards, we’ve implemented a new feature that overlays the TPM KSP feature and enables the TPM to function as a “virtual smart card.” This solution is more convenient and economical because you don’t need a physical smart card reader, but deployment is also easier because the virtual smart card functionality works with existing smart card applications and management solutions. The virtual smart card feature can be used in place of existing smart cards with any application or solution that is smart card compatible – no server- or application-side changes are required. Also, Windows 8 continues to support cards compliant with the Personal Identity Verification (PIV) standard or the Generic Identity Device Specification (GIDS) standard. By using these standards, deployment of smart cards is made much easier in Windows 8. All of these options are available for signing in to Windows (on domain-joined PCs), apps, websites – anything that was previously accessible using a physical smart card.  This short video shows this in action after it is set up via policy or logon script by your adminsitrator.


Download this video to view it in your favorite media player:
High quality MP4 | Lower quality MP4

In a world that is becoming increasingly dependent on maintaining a secure digital identity, we are very passionate about finding ways to make your digital life safer and more secure, without making it more complex. We’ve spent a great deal of time and focus on this in Windows 8, and we are very much looking forward to hearing your feedback!

– Dustin Ingalls

(1) Source: Dinei Florencio and Cormac Herley, A Large Scale Study of Web Password Habits, Microsoft Research. 2007

Comments (76)

  1. Dexte says:

    This is cool but… what about the music player? zune?

  2. temp says:

    1. (if i don't sync my data) Is it possible in Windows 8 to export web passwords to a file ? In case I reinstall my computer.

    2. Does IE auto populate the login and password fields automatically now like other browsers ? This is a missing feature

    3. It will be nice to see the password in clear text in the credential window.

  3. yeah..watz 'bout the WMP? the same version 12 or gonna to hit 'unlucky' 13?? throw some stones on it….

  4. Eric says:

    I'm digging the enhanced key pair integration, but can we tap into these APIs outside of Metro apps? What about on the Windows Server side of things?

  5. tN0 says:

    What about using a smartphone with NFC to log-in to a PC? The key could be stored on the phone and Microsoft could have new hardware (like mouses or keyboards) with NFC technology build in.

    The original key comes stored on a NFC enabled smart card to activate the phone as a key and when you loose the phone, you can log in to any PC with that card and lock your phone remotely.

    Passwords are things from the command line interface era. We need something completely new!

  6. DamionM says:

    Yes tN0 hit the nail on the head.. We need new things like cellphone identification and authentication etc… This is what's new and required at this stage of the game.

  7. jader3rd says:

    @temp

    IE can auto populate the login and password fields (it's default is to do so), but it generally is something that everyone disables because once you need to use a new system you realize you've forgotten which usernames and passwords go with which websites.

    Plus the location where the users names and passwords are stored make for an inviting target for malware.

  8. Aaron Boushley says:

    Will the API for storing passwords be exposed in win32 as well as for WinRT apps?  Or will this new password management API be WinRT only?  Will applications other than IE be able to tap into the stored Web Passwords?  For instance would Firefox or Chrome be able to share passwords with IE through this secure store?

  9. Aaron Boushley says:

    tN0 and DamionM you have good points, however I think those approaches are more targeted at how you authenticate with Windows.  Which they said they'll cover more of in future posts.  They are adding the "picture password" and things of that nature that fit the bill of being a new way of doing things.  For something like the NFC authentication you are suggesting you would likely be relying on some form of public/private key pairs and the card you mention as coming with the keys on it would contain both the public and private keys.  The steps they mention here are good steps on the way to a world where what you mention is possible.

    However for authentication with web applications a lot of changes need to be made that are out of Microsoft's control.  There needs to be general uptake from developers all over to support these new forms of authentication within their apps / web apps.

    Aaron

  10. HandNF says:

    It's good to see that you are taking security seriously. My only concern is that when I go to a third-party PC/device, I won't have access or know my passwords. It'd be neat if you included some way to download the passwords to a flash drive and then use a password to open up the passwords.

    I also like @tN0's suggestion.

  11. temp says:

    @jader3rd

    No, IE doesn't auto populate the field automatically. You have to start typing to see the auto-complete. FF or chrome do it automatically, all you have to do is to click go/press enter unless you have more than one saved credentials on a website.

  12. Spidernz says:

    what if i dont use IE, i generally remove/uninstall ie from windows so would this be broken?

    It would be nice if all ms apps were not tied into the system, and that in that if you remove one part of it the rest is still functional.

    Will this also apply to applications? if developers want to support it?

  13. This post is disappointing in some important regards.

    1) It should have been said that the Credential Manager isn’t something new. It was already there in Windows 7.

    2) The couple Credential Manager + Internet Explorer lacks crucial functionalities. First, unlike with competing browsers, with IE one has to type the user name’s first letter to retrieve saved credentials. And then one also has to log in manually. This means 2 steps which are normally unnecessary and really annoying. There should be a better auto fill-in function as well as an optional auto log-in function. Now, maybe improvements on that matter have been made in Windows 8, but it is just sad that this post had nothing more to say on this.

    3) It is still to be seen how the Credential Manager will work with the metro IE. I suppose that since the metro IE won’t work with plug-ins there isn’t much to expect from IE (as such) in regard to credential management. Even a solution like LastPass wouldn’t do in the metro IE for the same reason.

    4) This means that, in order to be really efficient, the Credential Manager should work (auto fill-in and optional auto log-in) without being tied to IE. It would be so awesome if Windows would do the same as HP Single Sign On: a credential manager that would work with anything on the computer, whether in or out of browser.

    5) The Credential Manager is simply not user-friendly: no import/export options, an uninviting interface and an invisible location.

    6) Isn’t face recognition a potential option?

    Please make sure that the roaming option will work with the Windows Phone. And make it possible to access to stored data directly from the Web.

  14. pmbAustin says:

    I feel I must mention this:  http://www.xkcd.com/936/

    "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."

  15. timwin says:

    how about using, NFC (PC + user phone) and kinect (face recognition, hand print, gesture password – passgesture etc)  for id on top of passwords security.

  16. shrippen says:

    And how about using the credential vault to store credentials for applications too? Like the logins for mail programs or every possible other stuff (Zune, Outlook, Adobe stuff, Trillian…)? Could come in handy to have it all at one point.

  17. shrippen says:

    And it is a must to open this not only to metro apps but win32 applications too, I would like Chrome, Firefox and Opera to be able to use this too (not Safari, it's just baaaahhhhh 🙂 )

  18. shrippen says:

    @Dany Rodier:

    It is possible to import and export the content of the credential manager, it's called "Back up vault" and "Restore vault".

    And in regards to invisible, it's inside the control panel… so… where else would you like to have it?

  19. @Aaron- The APIs for storing the passwords are available to both desktop and Metro style apps. So, any browser could provide this functionality on Windows.

    @Temp, Dany- You could just click/tap on the username field to bring up the list of saved creds for the website without having to type the first few letters.

  20. Nektar says:

    Previously, on another of your forums I have asked the following questions which are relevant to this blog post and I never got any response:

    1. How do you solve the multiple identity problem? I might have a work identity, a family identity, a semi-private identity and perhaps a secret identity for posting anonymously online. I might want to share all my usernames/passwords between some of my identities but not with all of them. I might want to share specific usernames/passwords and settings with all my identities whilst keeping other account information and settings private to some of my identities.

    2. I might want to easily transfer account information such as usernames/passwords, etc, from identity to identity, i.e. I might want to change an identity without having to rebuild it from scratch.

    3. I might want to run multiple applications and Web sites using multiple of my identities in the same user session, without having to (A) create 5 accounts on my computer and (B) having to log on and log off all the time.

    The above are not only desirable and valid scenarios but are situations which are really common nowadays. Just think how you use your Web sites and applications on an everyday bases and compare with the above situations. You will find that you run into these scenarios continuously, especially if you have kids and a family.

    4. How do you solve the issue whereby I might want a friend to use my computer for a while or just use the Internet to browse on my PC without giving him access to all my online Web sites and applications at the same time? Is there a setting for example for keeping this automatic signing-in experience enabled, whilst always requiring me to re-enter my password, but not the username, on sensitive applications or Web sites, or better, on applications or Web sites that I designate as sensitive and not only on those who have decided to enforce this? And don't tell me that I have to log out and then in with a Guest Account, as such a "solution" would be too cumbersome. Ask how many users have ever used the Guest Account and then decide for yourselves if it would be a good idea.

    5. How can I as a user or as administrator audit what exact account information and at which time and in what way it was accessed by a specific site or application?

    6. I might want to visit a site without logging in just for the specific visit. Reasons for doing this are perhaps I might want to create a new account on that site for my friend or family member. Do you mean to tell me that (A) I will need to create a new Windows account first? What if I don't want my friend creating a new account on my computer and link it with their own Live ID just for him/her to be able to sign up to a new site. Or (B) Wait until I am signed in and possibly tracked by the site and then sign out in some site specific way in order to create a new account? And what if that specific site or application does not offer signing out? And what if I don't want the site to track that it is me who has helped my friend or family member to establish a new account in the first place?

    The above are valid concerns and what surprises me is that it seems that your company has not thought of them. These are not the times at which we find ourselves at the beginning of the discussions around identity management. There is at least a decade of research, political discourse, online debates and many many failed industry attempts such as Open ID perhaps?

    Please respond.

  21. @Eric, good questions!  The TPM KSP is accessible via Win32 APIs as well as WinRT; available on server as well.

  22. Dario D. says:

    Off-topic: Can you guys restore XP-like functionality for the advanced volume/recording controls, or do something new? Also, adjusting the more detailed power-save options is HARD now. (I can rarely even remember how to find that panel, and usually dig around for it.)

  23. Clint says:

    The TPM virtual smart card is very cool! Any chance that Hyper-V guests will support using the host's TPM? Example: The vTPM in Xen: cybione.org/…/200901221025.html

  24. @shrippen. Thanks for your comments. I am glad to see I was wrong about the import/export function in the Credential Manager. About its location, I would agree, after consideration, that, in Windows 7, the best place for it was the Control Panel. But in Windows 8, the desktop Control Panel isn’t that easy to find anymore. In Windows 7, any user would have seen the Control Panel button in the Start menu. In Windows 8, the default icon/tile is the metro Control Panel. My suggestion, then: the Credential Manager should be relocated in the metro Control Panel. But that’s no big deal.

    @Sunil Gottumukkala. That is sad to here. IE is losing so much ground, but such little improvements would make a big difference. The focus of the IE team seems to be on speed, but there are such little things (like having to type a letter or to click with the mouse in a field in order to activate auto-complete) that make the overall experience with IE more unpleasant and concretely slower. I hope you’ll reconsider implementing IE with a real auto-complete and auto-login function.

    In short, three improvements that would make a big difference:

    1. Auto-fill in (without typing or clicking);

    2. Auto-log in;

    3. Both for all programs (like HP Single Sign On).

  25. temp says:

    @Sunil Gottumukkala

    Exactly, can you bring this feature to IE ? people shouldn't have to click/tap on the username field to bring up the list of saved creds for the website. It should auto-fill.

    1. Why some passwords for websites are stored in registry and other in the credential manager ?

    2. Is it possible to import exported passwords into credential manager using a command line ?

  26. temp says:

    IE should have an option that opens directly the credential managers.

  27. @Dany Rodier, since the Windows 8 credential storage is accessible via WinRT APIs, apps (programs) can implement their own personalized identity experience – and Windows 8 provides the storage and synchronization.

  28. Andrew F says:

    Are there ways to access credentials stored on Live on non-Win8 machines? I use a lot of public computers and being able to access passwords and such remotely is important. I currently use LastPass, which provides remote access via their website, mobile apps, and USB keys. It's clunky at times, but it works. If Win8 could one-up that, all the better.

    Also, while we're discussing security, can we talk about the picture login demoed early? There are a lot of "easy" passwords with that system — e.g. if there's a picture of a person, the log-in is probably some combo of nose, eyes, and mouth.

  29. xpclient says:

    Storing web forms credentials in Credential Manager is a great improvement! Thanks team. Windows has had an excellent Credential Manager and API ever since Windows XP and it was already used for network share passwords and IE's authentication for websites and intranets. It just wasn't used for storing web form passwords until Windows 8.

    I would like to see more unification of password storage locations in Windows. Windows doesn't store *all* passwords in a common location. Passwords for BitLocker-To-Go, HomeGroup, FTP and WebDAV servers, wireless network keys, Outlook, Connection Manager dial-up and VPN credentials, RDP client, certificates for EFS and private keys are all stored in disjoint locations. Some of these allow backing up the stored credentials, some don't. It would be so much better if all were all stored in a common location which could be backed up and restored as easily, instead of backing each one of them separately.

    Also, for websites which request passwords not be saved, I would prefer it if the *user was always given control* on whether or not to store a password for a website and not let the website decide not to allow saving the password. IE should *always ask the user* if the "Ask me before saving passwords" option is checked instead of denying the ability to save the password if the website specifies so. Because IE currently overrides user choice with what the website wants, passwords for many websites still don't get saved.

    Another feature I am looking forward to in some future release of Windows is built-in Credential Providers for multi-factor authentication like e.g. RSA's tokens.

    I agree with others that the password filling in experience can also be improved. If a single password is stored for a website, IE should autofill it. If multiple passwords are saved for a website, IE should not autofill and stick with the current dropdown behavior.

    My last complaint related to user accounts is that Fast User Switching is no longer "fast" in Windows. We have to click "Switch User", then wait while the screen goes blank and returns after a few seconds, then click another user account, then type the credentials to login, blank screen again and then he logs in. The screen blackout transition is so jarring and sometimes it still gets stuck at the blank screen which looks to be a frequent issue with Windows 7/Vista (search for 'Logon screen stuck black OR blank'). Windows XP had a powertoy called Super-Fast User Switcher using which you could switch Windows user accounts using Win+Q without going to the Welcome screen! Can you implement something similar for Windows 8? The powertoy still works brilliantly with Windows XP SP3. The Win+Q functionality behaved like Alt-Tab but for switching user accounts instead of programs.

  30. @temp. Good suggestion. Currently, the shortest way to get to the Credential Manager directly from IE is: Tools [icon] -> Internet options -> Content [tab] -> AutoComplete Settings [button] -> Manage Passwords [button]. Not really intuitive! In the metro IE, there doesn’t seem to be any road bringing us there.

    @Dustin Ingalls. That’s good news. I just don’t understand why it is left to each developer to implement their app with this identity experience. My point with HP Single Sign On is this: browsers and desktop programs weren’t made to work with Single Sign On, and still this service was able to identify credential inputs almost everywhere (MSN, Skype, VPN connectors, etc.) and to achieve auto-login.

    Internet becomes so central to our daily computing experience that auto-login is not a slight issue. Please learn from others on that regard if you want IE to keep up the pace.

  31. Reason I don't currently use a password manager to create complex passwords: I won't remember that password when I need to log in to another computer. This post said as much. So enlighten me:

    What do I do when I'm on non-Windows 8 PCs, or even in a browser that doesn't use the credential APIs?

    I'm also interested in the answer to the question of multiple online identities within one Windows session

  32. @Dany Rodier – there are a number of standard ways to collect credentials in Windows and developers are free to use those; but at the same time we wanted to give developers the flexibility to create their own personalized/branded experiences if they so desired…we didn't want them to have to give up the benefits of having Windows manage credentials if they wanted to create a tailored experience.  The API is very simple to implement;  see msdn.microsoft.com/…/windows.security.credentials.passwordvault(v=vs.85).aspx if you're interested in more details…

  33. xpclient says:

    Will IE10 on Windows 7 also store web credentials in the Windows Vault or it will continue to store it in the registry like earlier versions of IE?

    Also the legacy "Protected Storage" service seems to be entirely absent in Windows 8? How will legacy apps that require reading from PStore cope with this? Are they redirected to somewhere else? In Vista/7, PStore was read-only but still present.

  34. … So you're inventing the Mac Keychain, 14 years late…?

  35. @Aaron Boushley

    This is Microsoft we're talking about; Nothing will be compadible for any competing app, they sure do treat their devs real well, huh?

  36. @BumbleBritches57 — the API to access this is available as pointed out in the comments from @Dustin who wrote the post and also @Sunil Gottumukkala [MSFT] who answered this question:   msdn.microsoft.com/…/windows.security.credentials.passwordvault(v=vs.85).aspx and the way we implemented it provides for the opporuntiy to have an app-specific user interface.  It is available to both Win32 and WinRT apps.

  37. The first thing that comes to mind whiles reading this blog post is, how to deal with portability. Currently I use a KeePass database that I am able to copy / move and use on almost every device I use (Windows 7, iPad, Windows Phone 7). How will this solution cope with that? Is it exchangeable between those platforms? If so, how? (Live ID?)

  38. Klimax says:

    @BumbleBritches57 14 Dec 2011 10:15 PM:

    Just upgrading existing facilities

    @BumbleBritches57 14 Dec 2011 10:21 PM:

    Which ones? There are way too many programms and systems to ensure proper interfacing anyway. If anybody is that interested, they can write bridge themselves. Your comment is naive at best…

  39. Why are so many people responding to me? When did I mention APIs or anything similar? wtf?

  40. John says:

    Can it generate strong passwords too?

  41. Microguy says:

    Hello Microsoft,can i get windows XP SP2 compatibility mode in windows 8?

  42. "One approach is to enable Windows to help you manage your passwords…"

    One thing I do is avoid OS or Browser "remember my password". Why? Because if I do, I won't be using my password and I would be forgetting it! This would be a good idea if you only used a single machine to access your email…

  43. Microguy says:

    Please add support for old hardware parts tooo.

  44. temp says:

    I really suggest to add an option to display the password. Sometime i want to check a password that I don't remember.

  45. @Dustin Ingalls, @Steven Sinofsky.

    A great thing about Windows is that one can develop an app to tweak almost everything. But the blog, it seems to me, is not about if and how developers could eventually implement Windows with missing functionalities. Advanced users will find ways to correct what they don’t like. But, really, that’s not the point. The argument about flexibility (from Dustin Ingalls) seems pretty weak to me: if one (hardware companies or individuals) wants to bring in something different, they can simply disable or bypass built-in functionalities, as it has always been done.

    I just don’t understand why this “no compromise” version of Windows still misses the opportunity of making those tiny changes that bring big improvements in our daily computing. Tiny changes like:

    Internet Explorer

    – Auto-fill in and auto-log in

    – Built-in PDF printer (as for Office)

    – An easy way to create a simple shortcut (instead of a pinned site)

    – A better RSS feeds reading experience

    Windows Explorer

    – Easy network connection to cloud services

    – Folder sizes in the Size column

    – Pinned site equivalent for local shortcuts

    – Rotation of videos

    – Searching pictures by identified person

    – Option to hide libraries

    – Option to dock the Details pane at bottom

    – Why not a RSS feeds library?

    – Partition indexing

    Windows Media Player

    – More formats

    – Cloud syncing option

    Miscellaneous

    – A lot of tiny changes in Zune!

    – A faster access to the Power button

    – Etc.

    Again, I know third party apps could bring all these improvements. But every time Windows relies on third party apps, this implies that (1) not everyone will get those tweaks and (2) the Windows experience will be considerably slowed down through those apps.

    I only mean to be constructive. I like Windows a lot, I enjoy those many improvements already made and I just want Windows 8 to be the best. Thanks for this blog and thanks for listening.

  46. Thx for your work to make my digital life easier!

    Do you plan to support face login as well?

    Thats would be cool, sth. that is missing on the market.

  47. Microguy? says:

    Windows 8 system requirements? compatibility for old hardware and windows XP SP2 any one know?

  48. Joe H says:

    I highly recommend you use LastPass with auto-login enabled for a few weeks if you think that the IE9/Credential Manager method of having to manually click on an entry list, select the username, and then click on the sign in button is actually convenient.

  49. Quackypants says:

    I this is fantastic as;

    'with a local password, if you forget your password, you’re in a tough spot – if you didn’t create a password recovery USB stick, you’re stuck rebuilding your machine from scratch'

    is simply not true.

    You can zap it with a Linux boot CD that a novice can find with instructions using a simple search on YouTube.

    Currently loosing, or having your device stolen is a disaster if passwords are stored locally. Pre-boot authentication prevents passwords from being clear but who really uses this outside of an Enterprise environment?

    Great work, really impressed with this!

  50. Alvaro says:

    @Microguy – I think i woul have the same reqs than 7 (and vista) … so i guess that everything that work on those will work in 8.

    ppl i'm a little confused:

    So, in windows 8 there will be ONE place to manage all my credentials (web passwords, bitlocker, pki certificates, virtual smart keys, and of any software that use certain API, etc) and all those would be bound to my LiveID, in a manner that I can retrieve it them from any computer i deemed as trusted.

    Then my dous is:

    1. If i can export/import t it to/from a file, (for the comments seems like i can). But would this file be protected somehow to avoid a malicius user/software… to simply stole this file and acces all of my credentials????????

  51. Crackers says:

    Cracking makes you a Cracker not a Haker

  52. wr says:

    I don't get that virtual smart card thing. So smart card info is stored in the TPM chip inside the PC and all the thief has to know is the pin number to login? Because now he also has to have a physical smart card. So, what's about the security?

  53. WinNext says:

    This is a superb boot screen http://www.youtube.com/watch , this will be a nice boot screen for windows 8 if added, (Bootscreen only – 0.01 to 0.11 sec ) ,I like it so am suggesting , take it or trash it , no complaints. 🙂

  54. I understand the principle but obviously placing all your passwords in one place makes that one location the weakest link, one which hackers and malware creators will be eager to exploit. Few machines ship with a TPM, so that rules out 99% of existing computers. If it improves security and usability then I'm definitely for it, though I'm certainly sceptical at this point.

    Also, will other applications be able to use / access this information? If so is that not a security risk? Is not then it is useless to other browsers, like Chrome or Firefox.

    Regardless, Chrome already does this for me. It syncs to my Google account, which saves all my bookmarks and passwords for access at any time. It's not really a secure feature but it is convenient.

    PS – I do find it REALLY annoying that different websites have different requirements for passwords. Some require a capital letter and a number, yet refuse to accept special characters. Some require between 7-15 characters, which yet support both special characters and non-capitals. Some require the password to be changed and it cannot be one you have used before, which is where it gets complicated. It's an absolute cluster&!% and actually makes things less secure and I'm constantly resorting for the "forgot password" option.

  55. Stefan says:

    Hackers will love this if they have installed a keylogger ! Wonderful work Microsoft – NOT !

  56. Stefan says:

    Hackers will love this if they have installed a keylogger ! Wonderful work Microsoft – NOT !

  57. far says:

    anyone ever heard abt lastpass?? that makes this feature pretty much redundant….

  58. I just wondering, will Windows have native Facial Recognition feature for logging in? Since we're talking security here.

  59. uk_mkh says:

    I appreciate the convenience of using a PIN to log into the Windows 8 PC especially if we have complicated passwords, etc. However, I think the user should be able to select a PIN length of their own and not be limited by a 4 digit PIN. As I don't think there is a 'account lockout' feature when using a LiveID login to Win8, I would prefer that a potential intruder is unaware of the PIN length in use. This would harden  and blur the security rules in place from the viewpoint of the intruder. In addition, the ability needs to be given in the security preferences that an incorrect number of PIN/password attempts should result in one of the following user selected choices: Lock the account out, wipe the device, or send an alert message to the user's secondary device (i.e SMS or email) after a  X incorrect attempts.

  60. JSM says:

    Personnaly I find that storing passwords on the PC is not a good idea,  even if I think that you have done a great work on this.

    There are too many ways to compromize the security of a PC.  It is impossible to ensure at 100% that all security holes having been plugged.  Trojans,  improperly configured or obsolete firewalls,  phishing,  bugs in the system, bugs in applications,  etc.  are all potential threats to the security of the PC.  This is also the reason why auto-fill for passwords and auto-loging must be avoided.

    Typing and using long and complex passwords may be tedious,  for me,  as long as passwords are required,  this burden is necessary.

    It is tempting to listen to the users and give them an way to aliviate this,  but in my opinion this will only increase unsecurity.

    Instead of trying to compensate the problems caused by passwords wouldn't it be better to push a different way of identification ?

    Biometry is good.  For example,  a keyboard with a fingerprints scanner would effitiently replace lists of passwords (althoug it doesn't solve all situations).

    If Microsoft pushed in that direction,  I am sure this type of accessory would quickly spread.

  61. Windows7 says:

    Passwords should be remember not stored or written anywhere. Spending time on thinking about a unique and secret password, then storing in the very place it's meant to protect, is just pointless.

    This is one feature of Windows I have never and will never use.

    Having said that, I won't be using the final release of Windows 8/Metro 1 anyway.

  62. @far. But LastPass won’t work with metro IE. Don't you think it should be the contrary: Windows should make LastPast useless. With a better user experience (auto-fill and auto-login) and a decent roaming of credentials through Live (accessible online), it surely would. The fact is that LastPass slows browser start considerably.

    @JSM. The point is not to impose auto-fill and auto-login, but to make it available as option, so that everyone could choose (and, ideally, choose for each case).

  63. metroman says:

    metro is awesome ,i starts liking it very much,it's better than old desktop design.But am worried about lack of program icon tile support in windows dev.preview.@steven  so the metro will be polished well in beta relesase right?Everyone anxious for windows 8 final release .don't make me disappointed.Best wishes..

  64. LD says:

    @Dany Rodie & @MS

    Lastpass won't work with Metro IE, this is just another issue I have with Metro; the lack of control that I have as the machines owner. I really dislike the "let's dumb down computers", when you make things too simple you remove flexibility and create problems for people that actually want control.  This is another reason Metro needs to be optional.

    Back on topic, I use lastpass and this offers similar functionality but I can see people being locked out of their accounts if they need to connect from another machine and if you lose your hard drive.  I’m also concerned, what if I want to store my logins but later I want to access a site on my iphone or ipad… not my PC?  I know MS likes to “cross sell” this way but it is a negative experience for the consumer when 3rd parties can provide cross platform functionality.  Not all of us feel the need for a windows tablet.

    Windows failed in the tablet market because the windows UI was clunky on a tablet… so they’ve invented a UI that’s clunky on a PC instead.  Metro isn’t going to make me switch to a windows tablet, especially if apps need to be compiled for ARM.  I really don’t want to buy 3 copies of an app to do things:

    • Metro Version

    • Windows desktop version

    • Arm Version

  65. I believe password security is very important, and that users (especially young ones) need to learn about security (they'll put anything online for anyone to see). But, personally, I won't use this, especially, a Windows Live ID. Why, if I don't trust other sites, would I trust Microsoft to keep my info safe? I'm sorry but, I don't see this as a good idea. Users need to be taught safety, not have the need to exercise their brains made unnecessary by some website that promises security. Microsoft has made huge leaps in security since 3.11 & NT3.1 but, I can't make peace with the idea of the "cloud" and someone else caring about my security.

    Sure I'm paranoid but, an I paranoid enough!

    Dan

  66. I would still like to see a new account / profile mechanism (i.e. a shared session or profile) where users can share a single session/profile, but multiple users could unlock that session.

    An example would be that User A logs in, kicks off a tasks/runs, and locks the machine. User B comes in behind them, and wants to log into the same session, thus authenticates, and is allowed into the session, thus from a non-repudiation standpoint, User A is logged off in the background, and User B's credentials take over.  

    Group accounts will never be allowed (single account, shared password), and we need a solution…

  67. wr and alfaro asked by far the most important questions above and they have yet to be answered.

    1. Will the Credentials manager be protected in some way? Meaning, if I am logged in and let someone else use my machine, will they just be able to bring it up and see all my credentials? Or will it also require authentication?

    2. Virtual Smart Cards seem to entirely defeat the purpose of two factor authentication, since now all the person who wants to log in needs to know is your pin. Are we missing something?

  68. Bob says:

    I don't think there's a business alive today where most sysadmins passwords can't be compromised by a machine they've been logged into being taken offsite and their password cracked via utilities such as ophcrack or l0phtcrack; the only real defense is a 16+ character alphanumericspecial password.  Additionally, should the users account break or their disk crash, how are they going to recover their password vault?  Thinking from a business perspective; do I really want a Microsoft Service that stores my users logon credentials online and allows access from multiple points?  

    What's really needed is to objectify credentials like windows does with certificate files; Each credential has a different standard bywhich it's written and thus, a different application, webapp, website, etc it belongs to.  Thus when stored in a repository there's an inherent security insofar as the credential itself can be encrypted by a proprietary method before windows works with it.  There's inherent functionality as an API can be built to interact with each certificate object.  Even if the repository or a subclass of API's are compromised, the objects inside the repository may not be; the model is inherently secure.  One, therefor, would have 3-4 separate passwords; one for the single signon, one for a signon into the repository, and one or two to secure each individual credential object one cares about; if an account or set of accounts were compromised the user would know which accounts they would need to recover with other credentials to repair the compromise.  The vault could then be stored either locally or on a Microsoft server and nobody would necessarily care about the security of that server (or the trustworthyness of Microsoft) as the important credentials are uploaded in a pre-encrypted format.

  69. @Existentialism0 et al. – The safest way to allow others to use your PC is to create an account for them.  In my home, I create a guest account with low rights to enable others to browse the Internet, check email, etc.  Independent of the credential store question, any time you allow another user to access your account, you are allowing them access to all of your data, resources – anything you can access.  

    There were other questions asked about what happens when you have multiple accounts for an application or web site.  Windows 8 supports a signed in user having multiple accounts and credentials for a single web site or application, and will allow a user to choose which account they want to use for a given session.

    For the virtual smart card question, the two factors are the TPM inside the PC and the PIN used to authorize the TPM to utilize the associated private key for a request.  The PIN in this scenario is protected by TPM based anti-hammering, dramatically limiting the number of attempts someone can make to "guess" the PIN. Stealing the PC is equivalent to stealing the physical smart card.  So if, for example, your workplace requires smart cards for remote access, an attacker would either have to steal your smart card (if you're using a physical smart card), or your PC (if you're using the Windows 8 virtual smart card).

  70. joeslipper says:

    Great post! USefull information in here

  71. Stepan says:

    It's sad that a lot of people want these features. They really want to sell their privacy so that someone else will manage their credentials.

    I have no doubt that, among other things, Microsoft can easily access these however encrypted and protected passwords.

    I understand that this will probably be exercised in exceptional cases only, but the fact that such things are built with this ability in mind worries me.

  72. veeno says:

    People who are asking about other browsers to share credentials; ask the vendors of those browsers to get use of the system service. Yes, since its a system service it can be used by 3rd party.

    PS, first ask Google to implement the jumplist feature for pinned Gmail for IE9. Like we have Inbox, New Message and other links in Hotmail's jumplist.

  73. Sandeep says:

    More than 5 years ago, i dscussed this need to one of our Director providing consulting to MS. And incidently i was discussing this again with one of my colleague, what a coincidence.

    But this is not the end where i wanted this…. there are more generic thoughts that i have and hopefully someday get chance to put forward.

  74. First, I have an issue with the PIN login, Num Lock is not automatically activated when using PIN login. I have to activate Num Lock each time.

    Second, to the people that don't understand why IE doesn't do auto-fill for passwords: IE can save multiple username/password combinations for the same site, so you need to type a few letters or click to select the username you want to use, then IE will retrieve the associated password.

    I agree that auto-fill might be a good idea when only a single user/password combination is saved for a site.

    My problem with saved IE passwords is that the passwords are saved at the URL level, not at the site level. Some sites display a login form whenever you access a protected page, and you are not signed-in yet. This means that the site will have multiple URLs for the login form.

    As an example, for a forum, there might be an potentially infinite number of URLs, one for each forum thread, as the login is requested only when you reply to a thread, and in this case the password will be saved at the forum thread level (or, even worse, at the thread page URL level, when the forum thread has multiple pages).

    So, in many cases, saving the password at the URL level doesn't make any sense.

    My proposal is to ask the user if he wants to save the password for the current URL, or for the entire site (DNS domain), with the entire site being the default.

  75. @BumbleBritches57 says:

    @BumbleBritches57 Exactly what I thought about Keychain. Which has been around since System 8.6 – according to en.wikipedia.org/…/Keychain_(Mac_OS) – which was released in 1997