Passwords in IE11


Today’s Web relies on passwords as a form of authentication, which means people have to log into a variety of different services every day. Not only is typing passwords on touch devices cumbersome, but people are creating weak passwords and using the same password for every site, making them more vulnerable to identity theft. Having a secure, reliable password manager is the best method for encouraging people to create strong, unique passwords for every site.   

With Internet Explorer 11, we’ve done work to make signing into sites faster and more reliable as well as give users more control when saving credentials.  In addition, IE11 will now roam credentials to IE11 on Windows Phone 8.1!

Password autofill with IE11 on Windows Phone 8.1
You can now save and roam passwords to IE11 on Windows Phone 8.1

Reliable Login form detection

With IE11, we’ve beefed up our login form detection which means that IE will now prompt to remember passwords on over 90% of login forms on the Web.  This is a significant improvement over previous versions of IE.

You decide if you want to save your password

We are giving control back to the user when deciding to save passwords on a given site.  IE11 will now prompt the user to save passwords even if the autocomplete=off attribute is set on login forms.  IE will continue to honor this attribute on all other form fields (e.g. username, credit card, address, name, etc.).  There are two main reasons for doing this. One is to address the user confusion around why IE won’t remember passwords on certain sites. The second is because we believe that encouraging users to create strong, unique passwords is more important than honoring the autocomplete=off attribute on forms. Users should be able to decide for themselves if it is safe to save a password on a given device and situation. 

Sign in faster

IE will save you time by automatically pre-populating your credentials after the page has loaded, when it is safe to do so. Previously, users were required to click or tap in the username field and then click or tap again to select the username to populate the password.  This presented problems on touch devices—triggering double-tap to zoom—and on sites that pre-populated usernames from cookie information. This change in Autocomplete behavior on login forms is secure, as IE will revert back to its old tap-and-select behavior when the site does not meet certain security criteria. This design is a result of our focus on keeping the user secure.

For tablet users, double-tap-to-zoom has now been disabled on input elements to address the issue where tapping and selecting an Autocomplete item triggered optical zoom. Last, to allow sites to detect when the username and passwords have been filled, IE will now fire the ‘input’ and ‘change’ events when pre-populating credentials in the form.

Sign in once, everywhere

With Windows 8.1 and Windows Phone 8.1, users don’t have to re-enter their credentials for the same domain in a Windows or Windows Phone Store app that they’ve previously saved in IE.  This significantly speeds up your sign in experience across apps and devices. In IE11, Windows will use your IE saved credentials for that same domain hosted in Store app via the Web Authentication Broker. As always, Store apps will never be able to read the credentials stored in IE.

Sharing credentials between apps and IE.
Windows will user your sign in info from IE11 for the same domain hosted in a Windows Store app

Windows Store apps using the Web Authentication Broker today will automatically get this experience with no additional markup required. And, your site and app credentials will roam between your PC and mobile devices as well.

Managing passwords

IE11 on Windows 8.1 stores credentials in the Windows Credential Locker. Web site passwords can be managed in the Credential Manager desktop control panel on Windows 8. With IE 11 on Windows 8.1, you can now also manage your Web accounts directly from the modern Internet Options. To do this from the modern IE, swipe from the right to open the Charm and tap Settings. From there, you can open your accounts and manage your credentials without switching to the desktop.

Manage credentials directly from within Internet Explorer
Managing your Web site accounts can now be done directly within the browser

And, as previously mentioned, all credentials can be roamed to all your Windows 8.1 devices.

Please try IE11 on Windows 8.1, Windows Phone 8.1 or Windows 7 to try out these new experiences for yourself! Looking forward to your feedback.

Thanks!

— Amy Adams, Senior Program Manager, Internet Explorer

Some developer notes:

In order for your site to work with IE 11’s password manager, the login form must meet the following criteria:

  • Contain both a username and password to login to a service
  • Username and password fields are encapsulated in the HTML5 form element
  • Uses HTML5 standard input types for username field that accept free-form user input
  • Uses HTML5 password input type is used for the password field
  • DOM Level 2 submit event is fired upon submission of the form and credentials are not cleared before the submit event is fired
Comments (37)

  1. Good News says:

    Yes!! Good article, good design choices. I'm glad to see IE making these bold steps for the right reasons.

  2. Brenno says:

    > This change in Autocomplete behavior on login forms is secure, as IE will revert back to its old tap-and-select behavior when the site does not meet certain security criteria.

    What are the "certain security criteria"?

  3. Spiff says:

    Quote:

    "IE11 will now prompt the user to save passwords even if the autocomplete=off attribute is set on login forms.  IE will continue to honor this attribute on all other form fields (e.g. username, credit card, address, name, etc.).  There are two main reasons for doing this. One is to address the user confusion around why IE won’t remember passwords on certain sites."

    I think that needs some explanation.

    What do you mean?

    Do you mean IE11 will ignore any autocomplete=off attribute setting on login webforms,

    or do you mean IE11 will partially ignore the user's settings in Internet options Content AutoComplete Settings?

    If you mean IE11 will ignore any autocomplete=off attribute settings on login webforms, though respecting the user's settings in Internet options Content AutoComplete Settings, that may be okay, I guess.

    But if you mean IE11 will partially ignore the user's settings in Internet options Content AutoComplete Settings, and will ask to remember passwords even though the user has set *not* to remember passwords, that would be terrible.

    That would ask for an extra setting, to prevent IE asking to remember passwords.

    I really hope you can clarify this matter.

    If it is really Microsoft's plan to make IE11 partially ignore the user's settings in Internet options Content AutoComplete Settings, and ask to remember passwords even though the user has set *not* to remember passwords, that would be outrageous.

    As I said, that would ask for an extra setting, to prevent IE asking to remember passwords.

  4. Barry says:

    I agree with you, honoring that dumb autocomplete=off parameter is a bad idea from website makers who think they’re entitled to decide in users’ names.

  5. Dave says:

    Would love to know how the backend roaming security of passwords is ensured.

  6. Sardoc says:

    … It's all great and stuff, but I'd still prefer a native IE12 future release for Vista and 2008 (non-R2) instead. Having them stuck with outdated IE9 is like an official invitation and red carpet for Chrome and (less so) Firefox.

  7. LS says:

    Since the password will roam and you won't be able to store the hash (the hash may be computed on the client side code along with salt), that means that MS will be storing passwords on their servers.

    Please let us know when Congress prevents the NSA from having access to any of the data stored by MS anywhere in the world.  Until then, MS is merely digging a deeper hole when it comes to managing public perception of how secure MY data is.

  8. Cc says:

    Could someone tell me if any windows 8 desktop app can get access to the IE saved passwords?

  9. WixosTrix says:

    I love this feature in the Windows Phone 8.1 update. It would be great if you guys were able to connect our Microsoft accounts to LastPass and Windows and Windows Phone are able to securely pull credentials and auto-complete info from your account.

    Auto-complete for forms is still a glaring omission so I hope to see that soon. Also, tabs need to sync between device more frequently. Like every time a new tab is opened, it should update so other devices can see it.

    Keep up the good work guys 🙂

  10. Louis Martinez [MSFT] says:

    Hopefully I can provide some clarity to autocomplete=off.  If a website implements autocomplete=off in their login form (think username input box followed by password input box), we will now prompt you to store your credentials.  If a web form has input boxes marked up with autocomplete=off (think a form asking for your name, address, phone number, credit card, etc) we continue to behave as we have in the past and not store that data off.  If you've disabled "Ask me before saving passwords" then the autocomplete feature in regards to usernames and passwords is turned off and you will not get prompted to save anything.  This behavior is also unchanged from previous versions of IE.  Hope this helps!

  11. Spiff says:

    Dear Louis Martinez [MSFT],

    Thank you very much for your reply.

    You  wrote:

    "If you've disabled "Ask me before saving passwords" then the autocomplete feature in regards to usernames and passwords is turned off and you will not get prompted to save anything."

    Can you tell us, please, does the same apply to the situation in which the user has disabled AutoComplete for "User names and passwords on forms"?

    I should think so, but it would be nice if you could confirm.

    Thank you very much.

  12. Louis Martinez [MSFT] says:

    @Spiff – "User names and passwords on forms" disables the feature completely, so you will not be prompted to store any credentials and we will not automatically populate any login information you've stored.

  13. Louis Martinez [MSFT] says:

    Below are the cases where we auto-populate credentials:  

    – The site must be an SSL site.

    – The site certificate must be valid and the page must not have mixed SSL and non-SSL content.

    – The login form must not be in a frame.

    – The tab must not be in inPrivate mode

    – The user must have exactly one credential stored for the site (If two or more credentials are stored for the same site, we won't auto-populate, as we wouldn't know which user is currently using the machine)

    In every other case, the user can double click or tap into the field to access a dropdown of credentials to use. Adhering to these rules prevents malicious sites from harvesting credentials by pretending to be a legitimate site.  Hope this clarifies things.

  14. Robert says:

    How are you detecting whether there is a "username" field ?

  15. Peter says:

    @Louis Martinez [MSFT], since you are the only person from IE team who like engaging with IE users, can you please confirm if download attribute is coming? http://www.w3schools.com/…/att_a_download.asp

    Please tell the team that its dearly wanted!

    Thank you

  16. Spiff says:

    Dear Louis Martinez [MSFT],

    Thank you very much for your reply.

    You wrote:

    " "User names and passwords on forms" disables the feature completely, so you will not be prompted to store any credentials and we will not automatically populate any login information you've stored."

    Thank you very much, that is clear.

    If the user's setting in Internet options Content AutoComplete Settings AutoComplete disabled for "User names and passwords on forms" is fully respected, then there is no problem and it's fine.

    Thanks again for clarifying.

    The original article could have been a little clearer though, to prevent possible misinterpretations regarding whether the user's autocomplete settings were respected.

    Thanks again

    and best regards

  17. OberstDanjeje says:

    Thanks for the info

    On Domain pc the IE password don't sync, it's right?

    There is a way to enable password sync on domain pc?

  18. Louis Martinez [MSFT] says:

    @OberstDanjeje – Credential syncing is indeed tied to your Microsoft Account.  There is currently no way to sync credentials on a domain joined PC.

  19. Louis Martinez [MSFT] says:

    @Robert – At a high level, it's the same way it has always traditionally detected it.  An input box that accepts text, followed by an input box of password type.  We did work to handle more situations where the form might include hidden input boxes in between these, as well as addressing the vast majority of the issues that were listed at blogs.msdn.com/…/troubleshooting-stored-login-problems-in-ie.aspx.  If you have concerns with a form not prompting to store a password that you think should, please let me know.

  20. John Garland says:

    Two quick requests:

    1) In the Accounts panel in the Modern IE Settings Charm, please consider sorting the items by URL, or in some visually identifiable order.  Currently there appears to be no rhyme or reason to the order (if there's a date factor to the order, put the date information on the display.)

    2) In the Accounts panel in the Modern IE Settings Charm, please reconsider the "soft dismiss" behavior associated with the Remove button (use case: try to remove multiple accounts from that panel.  The soft dismiss behavior makes it a less-than-ideal experience.)

    Thank you

  21. pmbAustin says:

    Can you see what has happened with the twitter.com website in relation to this stuff?

    I don't know whether it was an IE 11 update, or a change in the Twitter site (I highly suspect the latter), but the whole "remembering user name and password" thing suddenly completely stopped working.  I now have to type everything in manually every single time I switch users or log out and want to log back in.  It's very annoying.

    SOMETHING changed there.  Maybe you need to get with them to get their site fixed?  Or at least investigate yourself.

  22. Amy Adams [msft] says:

    @Cc: Good question! No, apps cannot read the passwords stored by IE.

  23. Amy Adams [msft] says:

    @Spiff: Hopefully Louis clarified your questions. We will still honor the user autocomplete settings on login forms.  

    I would also like to add that other browsers (Safari, Opera, Chrome) also prompt to save passwords when the autocomplete=off attribute is set on login forms. In Safari, you have to go into the browser settings and set it to allow prompting even when autocomplete=off is set. Chrome has recently changed their behavior to match ours as well by default: groups.google.com/…/forum.

    In general this is a direction the browsers are moving towards as users need to have control over saving and managing their credentials for any site. As I've mentioned password managers are a great tool for encouraging users to create (and remember) strong, unique passwords for every site they log into. Hence the password manager should prompt for any site and the user should decide if they want to save the password or not.

    Hope that makes sense.

    -Amy Adams [MSFT]

  24. Spiff says:

    Amy Adams wrote, "Hopefully Louis clarified your questions."

    Yes, thank you very much.

    Best regards

  25. Amy Adams [msft] says:

    @Dave: IE on Windows 8 and Windows 8.1 users the Windows Credential Locker to roam passwords. Nothing has changed here with Windows 8.1. You can read more about Windows Credential locker and roaming here: blogs.msdn.com/…/credential-locker-your-solution-for-handling-usernames-and-passwords-in-your-windows-store-app.aspx

    Thanks,

    Amy Adams [MSFT]

  26. Amy Adams [msft] says:

    @John Garland: Thanks for the feedback!

  27. Louis Martinez [MSFT] says:

    @Peter – Rest assured, many folks from the IE team actively monitor the feedback in these blogs.  To follow along about features that have been implemented or are under consideration, please check out http://status.modern.ie/.

  28. Amy Adams [msft] says:

    @Cc: I should clarify. Windows Store apps cannot access credentials stored by IE. However a desktop application running with medium integrity level theoretically could access passwords as well as anything else stored on the PC (in other words, 'you're owned' once you install it). This has not changed with the work done in IE11. It is recommended that users only install software from a trusted source and run anti-virus protection software to prevent a malicious app from getting installed. And, change their passwords frequently. IE's SmartScreen Filter feature helps protects user from downloading unsafe software as well.

    Thanks,

    Amy Adams [MSFT]

  29. Amy Adams [msft] says:

    @pmbAustin: This appears to be a site issue. Twitter sets their cookies to expire the next day (24 hours I'm guessing). I was able to stay signed into twitter until the cookie expired. I'm not sure exactly why they do that, but this appears to be by design.

    Thanks,

    Amy Adams [MSFT]

  30. Louis Martinez [MSFT] says:

    @OberstDanjeje – Apologies, I mis-spoke.  If your Microsoft Account is connected on a domain joined machine, your credentials can sync in, but nothing will sync back out.  Hope that clarifies things.

  31. emmanuel somwarbi says:

    please help me to instral my internet explrore on my computre

  32. Asbjørn says:

    Credential sync is great and very much needed, but if you want to enhance security, it's missing a major part: the ability to generate a random password when you register for a site. See Apple Safari for a good implementation of this. This is an obvious companion to syncing passwords and something done by evvery third-party password amanger for years.

    Also, the credential management UI (both desktop and modern) is horrible. Why is there no search function? I have to scroll down the list and read every single item, since they are not even ordered alphabetically.

  33. pmbAustin says:

    @AmyAdams … that's actually not what I'm talking about.

    Go to twitter.com and log out of it if you're logged in.

    Now click the link to log in.  Double-click in the user name text box… nothing happens.  Even though I might have JUST logged in minutes ago.  No password saved.

    Basically, I have to type this stuff in EVERY TIME I want to log in.  Which happens a lot, given I have two accounts and want to switch between them.

    Up until a month or two ago, I could do this easily…. when I logged out, then clicked the log-in button, I could double-click in the UserName text box, and a drop-down would appear, I'd select the correct one, the password would be populated, and I could log in without having to type anything (very useful when on, say, a Surface Pro 3 in tablet mode).

    Now, it doesn't save the user names or passwords any more.  So every time I switch, even if I'm doing it ten times in ten minutes, I have to re-type everything.  EVERYTHING.  ALL THE TIME.

    This has nothing to do with cookie expiration or 24-hour time-outs.

  34. Amy Adams [MSFT] says:

    @pmbAustin: I'm assuming you're talking about IE's password saving feature and not twitter's 'remember me' functionality that is tied to the cookie.

    Yes, I do repro this now when there is more than 1 password/account saved for twitter.com. When I click somewhere outside the form (e.g. like the 'Full Name' field in the 'New to Twitter' form below the login form) and then I go back and click in the username field, the username entries appear. And when I select one, the password is populated. Do you see the same behavior? That is odd and there is some sort of bug here.

    Anyway, we will investigate the issue. Thank you for reporting this!

    Amy Adams [MSFT]

  35. Amy Adams [MSFT] says:

    @Asbjørn: Thanks for the feedback on the password managers! There's definitely room for improvements.

    Regarding Apple's random password generator, I've found it to not work on all sites where I need to create an account due to the sites password rules and restrictions. So, I can't always use the feature. I've found this to be true with other password generators, but especially problematic with Apple's implementation. Have you found a generator that works on all sites? Anyway, thanks again for the feedback.

    Amy Adams [MSFT]

  36. pmbAustin says:

    Thanks Amy!  I hadn't noticed if I click out and then click back in, the function returns.  That's a helpful workaround.  But yes, that's exactly what I'm seeing!  And it started not too long ago… a couple of months at the most I think.

    Thanks for looking into it!

  37. CrusJ says:

    Curious to know if the stored passwords use the same or better encryption to LastPass or 1Password. Can any MSFT rep comment on the security of stored credentials and how they are transmitted across devices?

Skip to main content