Hands-On Windows 178 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Paul Thurrott [00:00:00]:
Coming up next on Hands on Windows, we're going to take a look at the Microsoft Password Manager. This is the Microsoft password management solution, of course, and it's sort of built into Windows 11.
TWIT.tv [00:00:13]:
Podcasts you love from people you trust. This is TWiT.
Paul Thurrott [00:00:22]:
Hello everybody and welcome back to Hands on Windows. Paul Thurrott and We're continuing the two-parter that I'm doing here about password management and Windows 11. So last week we looked at third-party password managers and just password managers in general, the basics of, uh, setting up or moving to a new one, uh, the necessity of getting rid of your passwords from your other password managers, all that kind of stuff. So, uh, this week I'll bring it back home a little bit. Um, we will look at what password management looks like in Windows 11. And it doesn't look like much because Windows 11 itself, the actual operating system, does not have built-in password management capabilities. You may remember that it does have built-in password management capabilities, but for— sorry, I want to make sure I got that right— built-in passkey management capabilities. But for passwords, or really identity management, right, as we discussed last week, Microsoft relies on the Microsoft Password Manager, which is built into Microsoft Edge, the web browser.
Paul Thurrott [00:01:26]:
So as with Chrome, if you go in here, and in this case it is passwords and autofill, you can see this link for the Microsoft Password Manager. Now I don't normally use this, I use a third-party password manager, but I have used this in the past, which you can see because I have all these accounts still sitting here like an idiot. Exactly what I'm telling you not to do. And I have put everything kind of back together again, if that makes sense. I normally, I disable all this. If you're going to not use this but still use Edge, you should go into all 3 of these and turn off all the options related to autofilling your information, right? But I've turned them back on so that Edge will kind of work as, if not God, then at least Microsoft intended. So now it will ask to save passwords and passkeys. Those passkeys will actually be saved to the local device, which isn't super great.
Paul Thurrott [00:02:18]:
They're not super portable, but it will, it will do that for you. Okay, so this is configured, you know, correctly in Microsoft's idea of the world. And again, not what I would do, but after this break, we'll take a look at what it means to actually use this thing in in Windows 11.
TWIT.tv [00:02:39]:
Hey Paul, hey everybody. This episode of Hands On Windows brought to you by this baby right here. This is the Thinks Canary. This thing is dynamite. Look at it. What do you think that is? Is that an external USB drive? It's about that size. But you know what? It's not. See that? That's an Ethernet jack because this, this goes on your network.
TWIT.tv [00:02:58]:
This is a honeypot. This Thinks Canary honeypot is so well designed it can be deployed in minutes and it can represent almost anything under the sun. A Linux box, a SharePoint server, Windows server. It could be, well, it could even be a SCADA device or mine's a Synology NAS. It could be an SSH server. The key is it looks identical to those things right down to the MAC address, but it's not. If somebody accesses, a malicious insider or hacker in your network accesses this thing, you're going to know instantly. It can also create files.
TWIT.tv [00:03:34]:
This is really cool. Little tripwires, lures you can put everywhere inside your network. You can put them on your cloud drives, and if somebody tries to open them, they can be spreadsheets. I have a spreadsheet on my Google Drive called payroll information. Hackers look for those. That's a good one. Uh, it could be a WireGuard configuration, be almost anything, but the minute somebody opens those files or accesses your— brute forces your fake internal SSH server, your Thinks Canary is going to tell you you have a problem. No false alerts.
TWIT.tv [00:04:05]:
Just the alerts that matter. You can get them by email, Slack, it supports webhooks, you could have it in your Discord, you could have it anywhere you want. Syslog, of course, on your console. You just choose a profile for your ThinkScanary device, so easy to do, you could change it daily if you want. Register with a hosted console for monitoring and notifications, and then you sit back and wait. An attacker who's breached your network, an evil maid, any adversary will make themselves known. They can't but help it. This is what they're looking for.
TWIT.tv [00:04:33]:
They're looking to get into that key file with all that information. They access your Things Canary, you're going to know. Now, how many should you get? Well, you certainly should have one for every network segment. You should have one for every branch office. A large bank might have hundreds or thousands of them. Small operation like ours, just a handful. Let me give you an example. Go to canary.tools/twit.
TWIT.tv [00:04:57]:
If you wanted 5 Things Canaries, one for every network segment, every VLAN, $7,500 a year. You get your own hosted console, you get upgrades, you get support, you get maintenance. All that's covered. Oh, and one other thing: if you use the code TWIT in the 'How did you hear about us?' box, you're going to get 10% off your ThinkScanary, and not just for the first year but for as long as you own it. Uh, here's another good thing: you can always, you know, if you're at all worried and at all skeptical, whatever, you can always return your ThinkScanary You've got 2 whole months, a 60-day money-back guarantee, and you'll get a full refund. Now, I have to tell you, that might be reassuring, but during all the years, almost a decade now, that we've partnered with Think's Canary, that refund guarantee has never been claimed. No one's ever asked for their money back, 'cause once you get one of these, you're gonna say, "How did I live without it?" Visit canary.tools/twit, enter the code TWIT in the "How did you hear about us?" box. The Think's Canary, canary.tools/twit, Don't forget the offer code TWIT to save 10%.
TWIT.tv [00:06:01]:
Now back to Paul and Hands On Windows.
Paul Thurrott [00:06:06]:
Okay, so welcome back. If you are going to use the Microsoft Password Manager to manage your passwords, again, don't necessarily recommend that, but what this means is you'll need to install Microsoft Edge on your phone as well and your tablet if you're doing it that way. Um, go into settings and enable Edge as your autofill provider., right? I can't really show you that, but it's not super difficult to do. Even if you're— well, no, I was going to say even if you're not going to use Edge on phone, you might want to do that. Actually, that's one of the big limitations of this. I mentioned in the last episode, you want your password manager to be available everywhere. This is available everywhere Edge is, right? And so you could— you could not, I should say, use Chrome on mobile or Safari on mobile, with the Microsoft Password Manager, right? You, you have to actually use Edge. It would work throughout the system, honestly, but as far as the browser goes, you know, you couldn't use those browsers on desktop.
Paul Thurrott [00:07:01]:
You couldn't use them on like, say, a Mac or Linux or whatever. They're kind of locked inside of Edge, at least on desktop. So that's a little bit of a limitation. Okay, so in the last episode, I went to Spotify And I had created an account there previously. Let's see if I can get this thing to come up. So the, the interface here is the basic one. So your password manager, if you have a third-party password manager, is probably going to have a slightly nicer UI than this. But I have two sign-ins associated with Spotify here for some reason.
Paul Thurrott [00:07:40]:
But actually, I believe those are both the same account, not that it matters. And so that's how this kind of autofill thing will work. This is what it looks like. It's pretty basic. If you recall, you know, for example, when I go here, it's going to probably send me a code to my email. So I'm not going to actually do that. But that's, that's kind of how that works. If you were to go to Spotify and say, well, actually, I want to create a new account, right, which is something I'd done previous to the last show.
Paul Thurrott [00:08:04]:
But if I just go in here and say something like, you know, Bob, this is not a real account, but whatever. And now you get to this create password. Screen. This is where the Microsoft Edge— I should say the Microsoft Password Manager— password— yes, the Microsoft Password Manager falls short. It will auto try to autofill passwords already have saved, but what it's not doing, and what most third-party password managers do, is provide a complex password for you, right? So I'm trying to create an account, I want this thing to be complex. It's not something I should have to remember because it's going to be in the password manager. I'll always have that. It's going to be everywhere and it's nothing, right? And so I would have to sit here and type, you know, some crazy password.
Paul Thurrott [00:08:50]:
I just type garbage and see what it is. And that to me is, you know, one of those, one of those big problems. And so to me, this is not the greatest solution in the world. This is why I don't recommend it. But if you are going to use Microsoft Edge, if you're going to stick to the Microsoft ecosystem, if that's where your head is at, you need to do the same checkup on all your accounts. And actually, Microsoft Edge, or should I say the Microsoft Password Manager, has an okay interface for finding reused and weak passwords at least. And that's good, right? And so you're supposed to, you know, have a unique password in each, for each, every account. The thing I really like about this though is that it has this change link, and that's actually something you don't see in ProtonPass.
Paul Thurrott [00:09:40]:
So When I click this, it's going to go to the place on that account's website where I can change the password. It's in Spanish, sorry, because we're in Mexico here today. But that's actually a pretty useful feature. And so if you were using this and you wanted to move to a different password manager, it might be worth going through this first and just using it for that. What you're not getting here is the kind of dark web protections. You're not getting notifications for if there's 2FA or PASKI support for for one of these accounts. That's, you know, those are the services you see in the more full-featured third-party solutions, but still not terrible. And like I said, it does have this changelink, which is super useful, frankly.
Paul Thurrott [00:10:27]:
So it's, if you were going to use this, definitely take advantage of that. And then beyond that, just what I already showed you really. I kind of blew through it quickly, but let me go back to the top here. In the sense that a password manager is really an identity manager, this first link for the Microsoft Password Manager is really about logins, right? So usernames and passwords, but it also manages payment methods, which I have some configured here for some reason. It has options related to shopping, which really have nothing to do with, with Oh boy, with password management, you know, Microsoft, but I didn't enable any of that. But they also have the ability to save and autofill addresses and have suggestions. And the idea there is that I've actually eliminated that, but I could have my— I have two addresses. So I have one here, I have one in back home in Pennsylvania.
Paul Thurrott [00:11:17]:
And when I have to fill out that information on a form, it will do that for me. So in that sense, you know, it's for a browser-based thing, it's probably roughly on par with what Google offers in Chrome. It's, it's not too, too terrible. But yeah, that's, that's most of it. So, so there it is. This is, that's Microsoft password management. It's, it's, it's on the basics, on the basic side. It's, it's not honestly horrible, but it's not as good as free third-party solutions like we see from Bitwarden.
Paul Thurrott [00:11:51]:
And Proton Pass. So strongly recommend going in that route, but I wanted to at least present this because I know some people who watch the show are going to want to do the Microsoft thing. And, uh, and that's where we're at. So thank you very much for watching. Um, thank you for supporting the show. You can learn more about Hands on Windows at twitch.tv/how. We publish a new episode every Thursday. Um, so we'll see you again next Thursday.
Paul Thurrott [00:12:17]:
In the meantime, Thank you for watching. Thank you especially to our Club Twit members. We love you. If you're not a member, consider joining, and you can find out more about that program at twit.tv/clubtwit. Thank you.
TWIT.tv [00:12:30]:
See you next week.
Leo Laporte [00:12:31]:
Hey everybody, uh, Leo Laporte here, and, uh, I'm gonna bug you one more time to join Club Twit. If you're not already a member, I want to encourage you to support what we do here at Twit. You know, 25% of our operating costs comes from membership in the club. That's a huge portion and it's growing all the time.
TWIT.tv [00:12:52]:
Uh, that means we can do more, we can have more fun. You get a lot of benefits, ad-free versions of all the shows.
Leo Laporte [00:12:58]:
You get access to the club, to Discord and special programming like the keynotes from Apple and Google and Microsoft and others that we don't stream otherwise in public. Please join the club if you haven't done it yet. We'd love to have you. Find out more at twit.tv/clubtwit.
Paul Thurrott [00:13:17]:
Thank you so much.
