Summary
-
Microsoft Edge is removing the Custom Default Password for its built-in password manager.
-
Edge now uses Windows Hello or OS/device authentication to protect saved passwords.
-
Windows Hello biometrics cannot be phished; device login disables protection on your device and does not send data.
It’s no secret that Microsoft wants to get rid of passwords. This time last year, we saw Microsoft scrap passwords as the default option for new Microsoft accounts. You can still add one if you want, but the company will force you to use it first before setting a passkey or biometrics. Microsoft Edge will now no longer use a master password to unlock the password manager, and its alternatives should be more secure.
Microsoft Edge will now use Windows Hello or your device password
Personal Initial Password is deleted
If you’re using Microsoft Edge’s built-in password manager, there’s a good chance you’re opening it using your Custom Default Password. This is the “master password” you use to unlock your manager and access all your online account information. This is really convenient to have, but if anyone learns your Personal Master Password, they can use it to access your account information.
A few months ago, Microsoft published an article called “”.Keep your saved passwords private in Microsoft Edge.” In it, the company announced that it plans to get rid of the Custom Master Password altogether:
On June 4th, Custom Initial Password will be completely removed for logged in users. After this date, Microsoft Edge will automatically use device-based authentication (such as Windows Hello, device password, or OS-level authentication) to protect saved passwords.
Well, today is the day. Now that June 4th is here, people on Edge must now switch to Windows Hello (which includes biometric logins) or sign in using OS-level authentication. Going the Windows Hello route makes your account more resistant to attacks than Personal Default Password, as it allows you to use a fingerprint, face, or iris scan to log into your account, which is impossible to phish or leak. However, if you don’t use Windows Hello, you’ll instead use your Windows device login, which is tied to your computer’s hardware and doesn’t need to send data over the internet to authenticate you. Sounds like a win to me.
