Hot Take Microsoft is removing a security feature from the Edge browser

[Parkinsond]

Edge's built-in password manager lets you secure passwords and autofill with two security options: Windows Hello or a standalone password. The latter is now on its way out, as Microsoft decided to discontinue the primary password in favor of the device sign-in or Windows Hello.

Starting with Edge 146, users will no longer have the ability to create a custom primary password. However, the feature will remain available for existing users for a couple of additional months. On June 4, 2026, Microsoft will pull the plug for existing users and switch them to device authentication.

Microsoft is removing a security feature from the Edge browser

If you use Microsoft Edge's built-in password manager, there is an important change coming soon for you.

www.neowin.net

 

[ForgottenSeer 114717]

Tavis Ormandy don't like this at all.

 

[lokamoka820]

I think MS Edge is the program that changes its settings the most in the shortest amount of time.

 

[Parkinsond]

I think MS Edge is the program that changes its settings the most in the shortest amount of time.

Bill like it

 

[lokamoka820]

Microsoft Edge Removes Master Password Feature, Switches to Windows Hello for Saved Password Access

Microsoft has removed the Custom Primary Password (master password) feature from Microsoft Edge starting June 4, 2026. Users who previously activated the feature will now need to use device-based authentication methods to access their saved passwords.

This includes options such as Windows Hello with PIN, fingerprint, or facial recognition, or the device's standard operating system login. The change was first introduced with the release of Edge version 145 and aligns with Microsoft's broader shift toward passwordless authentication.

This shift also includes the announced phaseout of SMS two-factor authentication for personal Microsoft accounts last month.

Microsoft Edge Removes Master Password Feature, Switches to Windows Hello for Saved Password Access - gHacks Tech News

Microsoft has removed the Custom Primary Password feature from Edge as of June 4, replacing it with Windows Hello and device-based authentication to protect saved passwords.

www.ghacks.net

 

[Halp2001]

A bit of a mixed bag courtesy of Microsoft. On one hand, they "liberate" us from the torment of remembering an extra password thanks to Windows Hello. On the other hand, if your PC PIN is shared at home, congratulations: you just gifted access to everything, from your emails to your bank accounts.

In short, this confirms what many of us suspect: browsers are fantastic for browsing, but for holding keys… a dedicated vault is best. Third-party password managers are still light years ahead in security and save us from being guinea pigs for Edge's constant experiments.

 

[TairikuOkami]

If you store passwords in a browser or in a browser extension, you do not care about your security anyway, so whatever.

 

[Sorrento]

I still use text passwords zipped with WinRar with 91 files in it & password protected, its maybe more fiddly but its mine & don't to be uploaded anywhere & free, not perfect but it works well & it goes onto a USB as needed - I also have my email passwords in it though have those printed too, I have never used a browser system but do have a few pass-codes on this PC, all my banking is done on iPhone / iPad with face / fingerprint so???

 

[lokamoka820]

If you store passwords in a browser or in a browser extension, you do not care about your security anyway, so whatever.

Is a standalone password manager app more secure than its browser extension?

 

[SeriousHoax]

If you store passwords in a browser or in a browser extension, you do not care about your security anyway, so whatever.

After seeing this news, I'm thinking about going back to using on-device KeePassXC and not store passwords in the cloud like using a password manager. I'm using Proton Pass at the moment.

Dashlane password manager users locked out by brute force attacks

Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.

www.bleepingcomputer.com

In the case of Dashline, some users were unable to log in for more than 7 hours, which is unacceptable

 

[Marko :)]

If you store passwords in a browser or in a browser extension, you do not care about your security anyway, so whatever.

Here I am...

I do care about security and for that reason, I'm not giving ALL my passwords to third party company.

But it's encrypted!!!!!!

I don't care! Beside, does anyone have any proof ALL passwords are encrypted? Even if they are encrypted—one master password and all your passwords are revealed. Marvelous invention!

MEGA also promises they can't decrypt your files, but security researchers proved otherwise.

My password manager is audited every single year...

Well, good for you! I just hope they don't change the code after the audit; it would be such a shame if they did that.

If your password gets leaked, someone can break in your accounts...

Just like they will in yours too.

No matter if your password is 123456 or ot0671i!P,2[F4W6KMpJ+p>, if passwords leak then they are getting in accounts anyway.
So I'd argue, it's not me that don't care about security, you're the one that doesn't care about security if you only use passwords and rely exclusively on the password manager.

Let me ask you this as well; what happens if your password manager decides to lock you out from an account, or worse, suspend it? You lost your all online accounts.

That will never happen...

Well, tell that to users that got locked out.

I tried password managers, didn't like the concept, deleted accounts after a day. Nowadays, I still keep my passwords saved in the browser and use 2FA on important accounts. Even if someone breaches the password; 2FA is impossible to beat without advanced engineering and cookie theft. Though when it comes to cookie theft, no password manager will save you.

 

[Marko :)]

Is a standalone password manager app more secure than its browser extension?

I'd trust standalone password manager more than the extension (cloud) one any day of the week.

After seeing this news, I'm thinking about going back to using on-device KeePassXC and not store passwords in the cloud like using a password manager. I'm using Proton Pass at the moment.

Dashlane password manager users locked out by brute force attacks

Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.

www.bleepingcomputer.com

In the case of Dashline, some users were unable to log in for more than 7 hours, which is unacceptable

You absolutely should. Your passwords shouldn't have a place on someone else's computer.

 

[lokamoka820]

You absolutely should. Your passwords shouldn't have a place on someone else's computer.

If I understand correctly, you keep your passwords in your browser, but you haven't enabled the synchronization feature, otherwise your passwords would be on someone else's computer too (Mozilla), right?

 

[Marko :)]

If I understand correctly, you keep your passwords in your browser, but you haven't enabled the synchronization feature, otherwise your passwords would be on someone else's computer too (Mozilla), right?

Oh, I do have a sync turned on. But the passwords of important accounts are never saved or synced anywhere. Pretty much all my passwords saved in the browser are Reddit, various internet forums and such; passwords of accounts I can afford to lose.

Passwords of importance such as of Google, Microsoft, Cloudflare, GitHub account are never saved anywhere. That's what I forgot to mention.

 

[oldschool]

Here we go for the umpteenth time.

Password Managers.

I’ve spent a lot of time trying to understand the attack surface of popular password managers. I think I’ve spent more time analyzing them than practically anybody else, and I think that qualifies me to have an opinion!

First, let’s get a few things out of the way. For some reason, few subjects can get heated faster than passwords. Maybe politics and religion, but that’s about it. It’s okay if you don’t like my opinion.

Second, everyone needs to be using unique passwords. You don’t have to use a password manager to do that, whatever system works for you is fine. If you want to use a notebook in a desk drawer, that’s totally acceptable.

You can read the post for his technical analysis so I didn't include it here.

If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

I use Chrome, but the other major browsers like Edge or Firefox are fine too. They can isolate their trusted UI from websites, they don’t break the sandbox security model, they have world-class security teams, and they couldn’t be easier to use.

No doubt there will be many people reading this who don’t like this advice. All I can say is I’ve heard all the arguments, and stand by my conclusions.

Ormandy's analysis works for me.

 

[lokamoka820]

But if we start to distrust software for whatever reason, how can I trust that Microsoft Defender or any antivirus software is not logging my passwords or even my web browser itself?

 

[Halp2001]

No matter what method we choose to manage our passwords, this update in Edge highlights a much broader conversation: the fundamental trust we place in our digital environments. Having peace of mind with our choice—whether it’s a dedicated manager, the browser, or an alternative system—is essential. In the end, it’s all about where we draw the line, because if we open the door to doubting one specific tool, the big picture question about the security of the whole chain is always lurking in the background.

 

[piquiteco]

Don't panic when you see news like this. Otherwise, use whatever you like and think is best, or use a desktop-based password manager like KeePassXC, KeePass, Enpass, Sticky Password, or Proton Pass without an extension. If your browser supports drag & drop passwords into the password field, great; if not, just use copy and paste or Ctrl + C & Ctrl + V and be happy.

 

[SeriousHoax]

Here we go for the umpteenth time.

Password Managers.

You can read the post for his technical analysis so I didn't include it here.

Ormandy's analysis works for me.

I'm not a fan off browser's password manager because they can be stolen by malware. I have seen some data stealer extracting all the cookies, password and other saved info in the Temp folder and then zipping them to upload to the malicious C2C.
Old school (no pun intended ) method like storing in a notepad is more secured.

But if we start to distrust software for whatever reason, how can I trust that Microsoft Defender or any antivirus software is not logging my passwords or even my web browser itself?

Don't panic when you see news like this. Otherwise, use whatever you like and think is best, or use a desktop-based password manager like KeePassXC, KeePass, Enpass, Sticky Password, or Proton Pass without an extension. If your browser supports drag & drop passwords into the password field, great; if not, just use copy and paste or Ctrl + C & Ctrl + V and be happy.

I forgot that the password manager app and even the extension also store the encrypted password valult locally on device. I was thinking that everything is loaded from their server all the time which is not correct.
That changes things for me a bit. For me it is less about trusting/not trusting since password managers have been proven to be reliable. For me it's more about not being able to login to my account to use password when needed.

 

[Marko :)]

I'm not a fan off browser's password manager because they can be stolen by malware. I have seen some data stealer extracting all the cookies, password and other saved info in the Temp folder and then zipping them to upload to the malicious C2C.
Old school (no pun intended ) method like storing in a notepad is more secured.


I forgot that the password manager app and even the extension also store the encrypted password valult locally on device. I was thinking that everything is loaded from their server all the time which is not correct.
That changes things for me a bit. For me it is less about trusting/not trusting since password managers have been proven to be reliable. For me it's more about not being able to login to my account to use password when needed.

Saved passwords, at least in Firefox, are encrypted so the only thing malware can actually steal is encrypted database, I'm not sure about other browsers though. You can even enhance security by using master password feature in Firefox.

However, I'm not sure if cookies are encrypted (I think not). Google did mention something about encrypting them in Chrome, but apparently, this was hacked multiple times and doesn't actually provide that much of a protection.

Anyway, secure PC is the most important. Even the most secure software doesn't mean anything if it's installed on PC with malware.

But if we start to distrust software for whatever reason, how can I trust that Microsoft Defender or any antivirus software is not logging my passwords or even my web browser itself?

Technically, yes. Defender is deeply integrated than other security software. But if they were actually doing this, it would already be noticed by thousands of security engineers and researchers controlling what Microsoft does.

If they did that, that would ultimately be the end of Microsoft because no one would trust it anymore with their data.

This is why I mainly only use open source software and apps.