The World According to Mitch

How many passwords do you have?  How many of them are unique?  How many of them would cause you, should they fall into the wrong hands, grief, hardship, financial loss?

Now what would you say if I told you that anyone with a very little bit of knowledge could access all of those passwords, and it would be your fault?

The world has gotten a lot busier since I was a kid.  Back then, the only password I really had to know was the locker combination to my school locker.  Today, as I peruse my password manager vault, I have over two hundred (200) individual passwords stored.  It is impossible for anyone to remember all of those, so Microsoft decided to help us out.  A lot of the passwords for the web sites we visit on a regular basis are stored in the Windows Credential Manager, so that we do not have to remember them every time.  Every time you click ‘Remember my password’ an entry is made into the Windows Credential Manager, and most people will forget that it is there… if they ever knew it was there in the first place.

if this is your personal computer, and you never give it to anyone else to fix, then it is really not that big a deal.  But what happens when you give your computer to a tech to fix it?  What happens if you leave your job, and the company takes back the computer?

The following guidance is not comprehensive, and it is in no way meant to be a way to protect your passwords; this is more a question of opening your eyes to the dangers of using your online passwords on shared computers.

1) Open the Windows Credential Manager.  From the Start Menu, type netplwiz.  If you are not a member of the local administrators group, you will be prompted to provide elevated credentials.  The User Accounts window opens.

2) Click the Advanced tab.

3) In the Passwords context, click Manage Passwords.

At this point you have a couple of options.  The Web Credentials context appears by default, but the Windows Credentials context is there too.

In the Web Credentials context, you will see a list of the sites for which you have stored your passwords.  You can expand any of them to see something like this:

You see that blue word ‘Show’?  That means that if you click there, your password will be displayed in clear text.  It is small consolation that you are required to enter your Windows password for that to work, because if you handed your computer to a technician then you probably handed them your password as well.  Worse, if you left your job, the IT department can very easily change your password to anything they want, and have access to this.

It is again of little consequence that on the Windows Credentials side, you do not have the ‘Show’ option.

So yes, for the people who are looking for complete convenience with little regard to security, this is a great feature.  If you are so inclined, you can even click on the Back up Credentials button at the top and save all of your credentials to port them to another machine (It does encrypt this file, and you must provide a password for it).  However, if you are at all concerned about security, and especially if you are one of those people who tends to reuse the same passwords (hey, I thought of a great password to use for online banking… let’s use the same password for my Recipes Sharing forum!) then you should be aware of why you should not do that… and rather than using the Windows Credential Manager to store your passwords, look into a password vault solution (See article), and possibly even pair it with a multifactor authentication solution (I have a few, including my Yubikey).

Passwords stored in clear text are never a good idea, and the fact that Windows still does it for websites baffles me, especially since I remember learning about non-reversible encryption algorithms back in my Windows 2000 Server classes.  Now that you know that Windows does it, you might take a few extra precautions.