Hands-On Windows 177 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Paul Thurrott [00:00:00]:
Coming up next on Hands on Windows, we're going to take a look at password managers and how they work in Windows 11.
TWIT.tv [00:00:08]:
Podcasts you love from people you trust. This is TWiT.
Paul Thurrott [00:00:18]:
Hello everybody and welcome back to Hands on Windows. I'm Paul Thurrott and this is going to be the first of two episodes that I do about password managers. This is kind of in keeping with our beginning of 2026, you know, resolution security focus kickoff kind of thing. We just did a few episodes on securing online accounts, Microsoft accounts specifically, Windows 11, of course. And I did a two-parter on passkeys because passkeys are super important. But the core of our kind of security toolkit as individuals when it comes to protecting our online accounts and really our online identities are password managers. There's a lot of information here, so I had to make a couple of slides. I apologize in advance.
Paul Thurrott [00:01:06]:
I wasn't super excited about it either, but I think it's important just to be able to get through this stuff in a way that makes sense. So let's do that. So just what is a password manager? I think the big thing here is that This is a common thing. We've all heard of this. We all have actually used several of them, probably. The name is terrible. It's not a password manager. Even in the old days when all it did was manage passwords, it was really managing logins, right? Which is a combination of user accounts or usernames, I guess, and passwords, right? These days it's really an identity right? manager, So it manages all your logins, which is that username.
Paul Thurrott [00:01:48]:
Password combo, your payment methods, your identification documents, all kinds of personal information, you know, name, address, phone number, that kind of stuff. But they do a lot more too, right? The good ones will generate strong passwords for you. So when you create a new account, it will create this long, complex password. All of them will autofill logins everywhere, mobile and desktop, right? Also autofill things like payment information, other personal information as needed, as on the web. It will scan your library of logins and look for passwords that are reused, that are weak, vulnerable, and compromised accounts. And the really good ones will point out the accounts that actually have different 2FA methods like authenticator app support or passkeys that you're not configured with yet, and then you can go add that to those accounts, right, to make sure that all of your accounts are as secure as possible. This thing will sync to the cloud so you can use it everywhere, and that's a big part of it. You want to be able to use this everywhere you are, and that means your phone and your PC, but whatever other devices you might have as well, including tablets, for example, or if you have multiple devices, right, multiple PCs or whatever.
Paul Thurrott [00:02:58]:
And these things are protected by the biometric security methods available on your device. So on your phone, you'll have something like Face ID or the Android equivalent. On Windows, we have Windows Hello, of course. With, uh, facial and fingerprint recognition. And this is just another layer of security on top of the other layers of security that exist to protect the password manager itself or whatever accounts that you have. And then beyond that, there's actually a lot more, and it depends on which password manager you go with, but you'll see things like emergency and continuity services. So if you pass away or incapacitated, a loved one can access your password manager vault. And get into your crucial information when it's most needed.
Paul Thurrott [00:03:41]:
Email alias generation for newsletters is available on some of them. It depends, and many more. But we're going to stick mostly to the basics here. When it comes to choosing a password manager, I think the most important thing to remember is that I said this earlier, it needs to be everywhere, right? On all your devices. That's— it's big. And then for actual solutions, you know, in the Windows space, I'm going to, I'm going to not focus too, too much on Apple because they have their own thing going on. But I would say there are two main choices that are free and third-party and excellent, and those are Bitwarden and ProtonPass. I actually use ProtonPass and I will be using that for whatever examples we have.
Paul Thurrott [00:04:22]:
But 1Password is very popular. Dashlane is very popular. Those are not free, but they're not super expensive for an individual. I think you're looking at roughly $30 a year or even less depending on which one you choose. But Like I said, Bitwarden and ProtonPass are free and pretty full-featured versions. If you are in the Google and/or Microsoft ecosystems, and we are, you might want to use one of those password managers as well. Google has the Google Password Manager built into Chrome. That's something I will look at today, I believe.
Paul Thurrott [00:04:53]:
And the Microsoft Password Manager is built into Edge, and I'll look at that in the next episode. And it's time for a quick break. We'll be right back.
Leo Laporte [00:05:01]:
Hey Paul, if you don't mind, I'd just like to interrupt for a moment. Hope you're enjoying Hands on Windows. Our show this day is brought to you by Bitwarden. You know, we've talked about Bitwarden an awful lot. You know, it's the password manager I use. Steve Gibson uses it too. It is Bitwarden, the trusted leader in password, passkey, and secrets management. Bitwarden's consistently ranked number 1 in user satisfaction by G2 and Software Reviews.
Leo Laporte [00:05:27]:
Over 10 million users now. I'm really happy to hear that., over, uh, 180 different countries and more than 50,000 businesses. You know, businesses, this is really important for you, whether you're protecting one account for yourself or thousands for your company. Bitwarden keeps you secure all year long and consistent regular updates. For instance, with the new Bitwarden Access Intelligence, this is great for your enterprise. Organizations can detect weak, reused, or exposed credentials and immediately guide remediation. Your employees will actually be walked through the step-by-step to fix it, replacing risky passwords with strong, unique ones. And I tell you, for a business, this closes, if not the number one, at least one of the most significant security gaps.
Leo Laporte [00:06:12]:
I think it's number one. Credentials remain the top cause of breaches. With credential stuffing, you know, if your employee is reusing passwords, and they probably are, or using weak passwords, and they probably are, you need this. Access Intelligence will let you know and let them know. Those bad passwords will become visible, prioritized, and corrected before exploitation can occur. Bitwarden's also introduced something that, uh, individuals, self-hosters, will love. This is Bitwarden Lite, brand new. Bitwarden Lite delivers a lightweight self-hosted password manager.
Leo Laporte [00:06:49]:
So this is great for your home lab, for your personal projects. Any environment where you want quick setup, minimal overhead, and trust no one, right? I know this is something a lot of you want. Bitwarden is so great. You get to choose how you want to use it. That's the beauty of it because it's open source. Bitwarden is now enhanced with real-time vault health alerts and password coaching features that help users identify weak, reused, or exposed credentials and take immediate action to strengthen their security. You'll get direct— if you're still using your browser's password manager, Bitwarden makes it very easy to move over to Bitwarden from your browser. Much more convenient.
Leo Laporte [00:07:28]:
It's not just in your browser. Bitwarden's everywhere on every device. Bitwarden now supports direct import from Chrome, Edge, Brave, Opera, and Vivaldi browsers. So in— you've always been able to export and import. That's what Steve and I did when we moved to the other guy's password manager. And we moved over to Bitwarden a few years ago. We exported it and imported it into Bitwarden. Pretty simple, straightforward, did a beautiful job.
Leo Laporte [00:07:53]:
But there's always that risk because there's a period of time where you have an unencrypted version of your vault in your download folder. Direct Import eliminates that. It imports credentials right from the browser into the encrypted vault without requiring a separate plaintext export. So that makes migration easier, helps reduce exposure associated with manual export and deletion steps. Bitwarden just gets better all the time. It's one of the reasons I love being a Bitwarden customer. G2 Winter 2025 reports Bitwarden continues to hold strong as number one, number one in every enterprise category for six straight quarters. Bitwarden setup is easy.
Leo Laporte [00:08:32]:
It supports importing from most password management solutions. It's a very straightforward process. And once you're done, you're done, man. You're using the best password manager out there. Bitwarden is open source. That means it's GPL, it's on that GitHub, it's regularly audited by third-party experts. You can look at it. Bitwarden meets every security standard: SOC 2 Type 2, GDPR, HIPAA, CCPA, ISO 27001:2002.
Leo Laporte [00:08:58]:
It's secure, it's robust, and you can get started today with Bitwarden's free trial of a Teams or Enterprise plan. As an individual, free across all devices as an individual user, free forever, bitwarden.com/twit. That's bitwarden.com/twit. We love them. You will love them. Your company will love them, and they'll be very glad that they've switched. All right, now back to Hands-On Windows, Paul.
Paul Thurrott [00:09:28]:
So I went through a process where I had, um, created a new account in a password manager just so you could see what that looks like, right? Obviously I have all my accounts in my password manager. It's— it would be kind of a privacy nightmare to, you know, kind of show you all that. So instead of doing that, I'll just show you what that looked like. So I used ProtonPass for this, signed in for a free account on the web, which is what you're seeing here. And when you get into this account the first time, you have these choices. And this is actually kind of a nice screen because it shows you a lot of the things you can do with this. This is the Hide My Email alias I was talking about earlier, credit cards and other payment information. Information— sorry, notes.
Paul Thurrott [00:10:09]:
You can have an identity, and this is— I called— I created one called Me. I think we'll see that in a moment. But basically, this is the phone number, address, other information related to you, etc. This particular solution supports custom items. You you could, know, upload pictures of your passport, your driver's license, etc., whatever you want. And then you can import passwords, which is probably something most people are going to do because we all have passwords in various password managers and all the browsers we've ever used, perhaps on Android or iOS or iPad or on the Mac or wherever. And so, uh, if you're moving from say Chrome to in this case ProtonPass, um, you can export from that browser and then you can import into this new password manager. Okay.
Paul Thurrott [00:10:53]:
And this is what I'm doing here. So I created this account here. This is just a throwaway account I use for the book. Uh, there's nothing important associated with it. Uh, you're I was going to say you're welcome to hack it. I mean, please don't hack it, but there's nothing there. It's nothing important. And so I had exported my password collection from Chrome.
Paul Thurrott [00:11:12]:
I actually trimmed it down because, you know, I don't need the whole thing in there. And plus most of it's terrible. And I imported this sort of subset of it, if you will, as a CSV. And then I just kind of hid the account names here because whatever. But so this is just a shot of what it looks like after I had added those 4 accounts which were in the previous password manager. Okay. And let me just go into the main interface though, so you can actually just see that live. If I could just find it.
Paul Thurrott [00:11:45]:
I have 200 windows open here with my literal, my real password manager. I have configured this so that it is protected with 2FA. There's a passkey. I haven't done that yet and most likely will not, so I just have a password on this particular one, but it is prompting me uh, to, to sign in. Now what I've done here is I just changed all the account names so you can't see the actual email addresses. So there's nothing wrong here, there's nothing to worry about. But as you click through each one of these, you can see that that's a weak password, that's a weak password, that's a strong password. This is an account I actually just created pretty recently.
Paul Thurrott [00:12:28]:
And the other thing worth looking at here is what the various options are. And these are going to be fairly consistent between password managers. But in this case, you can turn on things like dark web monitoring so you can see if any of your email or other personal information has leaked onto the dark web or has been exposed as part of a giant, you know, security vulnerability or whatever. It will list the passwords that you have that are weak or reused, like I said, and then you can go through those and, you know, configure those with better passwords, which this solution will provide for you. And it tells me that I have 2 accounts that could be set up with 2FA, 2-factor authentication, which is really nice. So there's a lot of good stuff going on here, and that's kind of beyond the basics, but it's worth going through all of this stuff. It takes time. It is fair to say is you're going to have a lot more accounts than I have in here.
Paul Thurrott [00:13:23]:
So correcting each of these little issues does take time, but 100% worth it, of course. So I did create that account. Let let me, me show you what that looks like here. So I went to Spotify. I just said, here's my email address. So I use this email address here, the Win1125H2 book account, and I just created a new account. And there's a couple steps you have to go through. I mean, obviously every online service has different interfaces for this.
Paul Thurrott [00:13:49]:
But when I got to this screen here, my password manager ProtonPass suggested a password, which I accepted, and then it asked to save it into its vault, which it did. And so I've actually erased the password here, but it has autofilled that. And, and I got in. And so rather than just talk about that, let's see what that looks like to sign in. So I created that account already. So here's Spotify. And when I go to log in, you'll see when I click on this, two things happen, right? And so what's happening here so that you can see two overlapping attempts at filling in this password. And that's because I didn't do one of the things you're supposed to do.
Paul Thurrott [00:14:32]:
I did that on purpose, by the way. When you replace the built-in password manager with a third-party password manager, which in this case is an extension, you have to actually turn off the old password manager, right? And so you do that in settings. And this is in a slightly different position or place in each browser, but it's pretty consistent. So autofill and passwords, I think in Microsoft Edge, it's actually passwords and autofill, whatever. But Google Password Manager and settings, sorry. And actually it is turned off. So that shouldn't have come up. So I guess I did do it correctly.
Paul Thurrott [00:15:07]:
That's kind of interesting. So, um, any password manager built into a browser is going to have this interface for signing in. Uh, in this case, Chrome uses Windows Hello, which is actually pretty nice if you want to use that password manager, import/export passwords, etc. Um, so I did. So actually, I'm not sure why that showed up, but it shouldn't. But I will do this again. And the thing you can't see, it's kind of confusing why that's there, but, um, is the dropdown for Proton, right? And so if I continue here, it's going to— in this case, it's sending me the email, so it's not going to ask me for the password. So I could sign into this using the code that they will provide me with an email.
Paul Thurrott [00:15:45]:
So I guess I'll take 2 seconds to do that. But depending on the service and how they do security, they might just have you type in your password, in which case, obviously, this thing would do that for you. So I'm not going to actually go through. That doesn't really matter. So This is the more typical experience that I think most people are going to do. I'm not really covering mobile too much here because it's just too difficult to show that screen, but in the sense that it should be available everywhere. In Windows, you're going to install that extension in your web browser, and if you have multiple browsers, in all of your you browsers, know, sign into it. That will make it available here for all your sign-ins, right? So that's great.
Paul Thurrott [00:16:28]:
But you're also going to install the app on your phone or your tablet or whatever you have. And then you go into the settings interface on those devices and turn off all of the other autofill providers. And that's the way to get to it is open the settings app on your phone or your tablet or whatever you're using and, uh, search for autofill. And then you'll see the password entry and just make sure that whatever password manager you've chosen is the one that you're using for autofill and the other ones are turned off, right? I think I mentioned this in a previous episode, but once you've done all this and you've imported your passwords, you've, you've gone through the process of eliminating weak and reused passwords, you've set up 2FA everywhere, you've got everything exactly where you want it. There's one more step and it's important, and that is to go into the interface for your password managers in your browsers, in your mobile systems, wherever this, wherever these things might be. And so here, so I have this giant list of passwords that's still in Google. And what I should be doing is deleting these things. And depending on that solution, this could be a tedious one-by-one type of thing.
Paul Thurrott [00:17:39]:
But just like properly securing all those online accounts, it's super important to get that done and to not have multiple copies of all your passwords out in the world. That's part of the the way that you may see yourself showing up on the dark web if you were to enable this feature, which I have on my, on my real account. Okay, so that's the basics of password management in Windows, right? You'll notice that nothing here is in Windows. Everything I did was in a browser. I happen to use Chrome here, but this could be Edge, it could be any browser, it does not matter. Windows 11 has built-in support for managing passkeys, but it does not have built-in support for managing passwords. That's built into Edge. And so in the next episode, we're going to take a look at that.
Paul Thurrott [00:18:25]:
What does it look like to manage passwords inside the Microsoft ecosystem specifically? So we'll do that soon. Thank you so much for watching. I hope you found this useful. We'll have a new episode of Hands on Windows every Thursday. You can find out more at twit.tv/how. Thank you for watching. Thank you especially to our Club Twit members. You know we love you, but you're not a Club Twit member, do consider joining, and you can find out more about that at twit.tv/clubtwit.
Paul Thurrott [00:18:57]:
Thank you. I'll see you next week.
Leo Laporte [00:18:59]:
Hey everybody, Leo Laporte here, and I'm going to bug you one more time to join Club Twit. If you're not already a member, I want to encourage you to support what we do here at TWiT. You know, 25% of our operating costs comes from membership in the club. That's a huge portion, and it's growing all the time. Uh, that means we can do more, we can have more fun. You get a lot of benefits— ad-free versions of all the shows, you get access to the Club TWiT Discord and special programming like the keynotes from Apple and Google and Microsoft and others that we don't stream otherwise in public. Please join the club if you haven't done it yet. We'd love to have you.
Leo Laporte [00:19:41]:
Find out more at twit.tv/clubtwit.
Paul Thurrott [00:19:45]:
Thank you so much.
