ISSUE 18.37.F • 2021-09-27

Not a Plus Member yet? Join today!
Get MS-DEFCON Text Alerts!

ADVERTISEMENT

Invoice and Accounting Software for Small Businesses The best cloud based small business accounting software. Send invoices, track time, manage receipts, expenses, and accept credit cards. Free 30-day trial!

LANGALIST

By Fred Langa

Browser-based password managers have an obvious vulnerability on shared PCs: anyone with access to the browser might also have access to all its stored passwords!

Today’s lead item discusses two separate ways to prevent unwanted password sharing. One is extremely secure but takes a little time to set up; the other takes only seconds but is less secure. Here’s the scoop!

Plus: Improved searching for old content on AskWoody.com!

AskWoody subscriber Ax Kramer was thinking through the security issues that accompany browser-based password managers, and he had some excellent questions. His specific concern is about Edge, but the same ideas apply to most major browsers. He wrote:

Fred: Your recent password manager discussion [in Getting started with a password manager app, second item in the 2021-09-06 LangaList] was appreciated, but I still have questions about using a built-in password manager, such as Edge’s.

How does it store the passwords? Are they encrypted so that the stored passwords are unreadable by anyone else? How do I prevent anyone else in the family who has access to my computer and starts up Edge from accessing sites with my saved passwords?

Thanks as always for your comments.

Good questions, Ax! And I think you’ll like the answers.

Edge-stored passwords are encrypted using the still very safe AES-256 encryption standard. The encrypted passwords are stored mostly locally but are linked with, and through, either an associated Microsoft account or an Edge user profile. This way, each Windows user or Edge profile user can have their own private store of passwords.

There are two main ways to set this up. One is more secure but takes longer; the other is faster but less secure.

The most secure approach is for the administrator (probably you) to provide each additional user of a PC with their own separate Microsoft/PC-login account. (Remember, Microsoft accounts are free — you can set up as many as you’d like.) Each account gets its own login and password, its own user area on the local drive, its own associated Web services (such as the 5GB free OneDrive space), its own copies of the standard Windows apps (e.g., Edge), and so on.

As long as you set up the additional accounts as non-administrator Guests, Standard users, or Children, they’ll have access only to their own passwords. (Admins, of course, can go anywhere and access anything on the system.)

Adding a new user account to Windows is easy but takes a few minutes. You can read the full how-to details in the Microsoft support article Add or remove accounts on your PC, but the gist is this:

Figure 1. The surest way to keep each user’s browser-stored passwords separate is by adding separate Windows user accounts.

With every user having their own login and, in effect, their own copy of Edge, the passwords will be maintained separately with no mingling or crossover. That’s why this is the most secure method for managing Edge passwords.

The easier but less secure approach is to create one or more additional Edge user profiles within the browser itself. It’s super simple: just click on your profile pic, select Add profile, and follow the instructions. (See Figure 2.)

Figure 2. Click on your Edge profile pic, then select Add profile to create separate users within Edge.

Edge profiles can be generic (e.g., “Profile 1,” “Profile 2,” etc.) or be given any name or email you wish. No local, Windows, or Microsoft login is needed. You can switch to any Edge profile, on the fly, by clicking on the active profile picture and then selecting the desired alternate Profile. One click, and you’re there.

Each Edge Profile independently stores its encrypted passwords away from other Profiles, but because one copy of Edge is managing all the Profiles, it’s less secure than using wholly separate accounts.

Plus, because all the Edge Profiles live inside Edge in one user’s Windows account, there’s also more risk and exposure for that user. As Ax suspected, this is more of an honor-system approach. The users of the alternate Edge profiles can switch to any other profile, or even exit the browser, and be on the host user’s desktop with access to everything. Clearly, you have to trust your fellow users for this to work.

So yes, Edge can store passwords with good security — and does allow multiple users to share the same PC, or the same Edge installation, with no mingling or crossover of passwords.

For maximum security, provide each user of the PC with their own separate Windows login so they can have and use their own copy of Edge — or any other browser and password manager they wish.

For faster setup and easier operational switching, but with much lower security, give each user a separate Edge Profile.

Finally, for lots more information on how Edge handles password management, see the support article Microsoft Edge password manager security.

Subscriber Norm Freidin finds the AskWoody.com search tools somewhat lacking.

Hi Fred!

Love your articles, but one thing that annoys me is that many times I see an article I enjoy BUT then have trouble finding it afterward!

Not quite sure how to do a CTRL-F (Find) on all ASKWOODY articles, but it would very handy LOL!

Any suggestions?

Yeah, I hear you. There was a while there when I sometimes couldn’t reliably find my own articles online! But it’s getting much better.

Part of the problem was that the AskWoody newsletter database bears some scars from the many hands it passed through over the years. Every time the content was sold and moved to a new publisher, there was a different database and infrastructure, The articles themselves mostly migrated fine, but tons of metadata — custom keywords and search terms, links to embedded graphics, etc. — were irretrievably lost. Sigh. To his credit, Woody invested heavily to do the best integration possible, more than can be said for previous owners.

Today’s AskWoody newsletter content is kept in one database; the interactive Forum content is in another. Each has its own front-end search engine, which you’ll find in the right-hand pane of the AskWoody.com layout. (See Figure 3.)

Figure 3. AskWoody lets you search the newsletter content, the forums, or both (in a limited way) under Advanced Search.

As you’ve discovered, the newsletter-content search (added just this past March) is pretty basic, but the separate (and custom-written) Forum database search tool is more flexible — especially through its Advanced Search functions. (See Figure 4.)

Figure 4. AskWoody’s Advanced Search functions allow far more flexibility than does the basic search.

Here’s the thing: Editor Will Fastie has been ensuring that all newsletter content is accessible in the obvious location — the newsletter content database — but has also improved the “stub” or “pointer” articles in the Forums (see AskWoody Improvements, 2021-04-05). These stub articles are indexed and are findable through the superior, flexible Forum search tool; what’s more, they provide one-click access back to the original, full-text, newsletter version of the article.

This way, if you search using the detailed, powerful Forum search tool, your results will include not only relevant forum items but also any newsletter item stubs that match your search terms. One more click on the link you’ll find in the stub article, and you’re back to the full text.

Here’s an example of the two ways to search AskWoody. Let’s say you wanted to see what AskWoody has had to say about OneDrive. AskWoody.com’s Search Newsletter function could do that. You’d type in the word onedrive, hit Enter, and then see a list of dozens of AskWoody and Windows Secrets articles on OneDrive, stretching back many years.

But if you wanted a much more targeted search — say, to find articles about OneDrive, but only those written by me, and only in the last half-year — you’d do better with the Advanced Search function that appears beneath the Search Forum box. When the full search form opens (Figure 4), you’d enter onedrive as the Search keyword, langa as Author, and last six months as the search Period. Click Search, and you’ll see a list of all the stub articles and related Forum content that match your search criteria. Excellent!

No, it’s still not perfect — some secondary and tertiary topics can’t easily be included in the very brief article stubs, for example.

Send your questions and topic suggestions to fred@askwoody.com. Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

Fred Langa has been writing about tech — and, specifically, about personal computing — for as long as there have been PCs. And he is one of the founding members of the original Windows Secrets newsletter. Check out Langa.com for all of Fred’s current projects.

If you purchase after clicking this ad, AskWoody may receive a small commission.

MICROSOFT 365

By Peter Deegan

In a few weeks, some Outlook software will stop working with Microsoft’s online services, such as Microsoft 365.

If you thought that Microsoft products would always work with Microsoft’s own services, I have bad news. There’s a cutoff point. Microsoft is stopping some versions of Outlook for Windows from connecting to Microsoft hosted mailboxes.

Starting on November 1, 2021, only Office 2013 Service Pack 1, with up-to-date patches, and later Office releases will connect to Microsoft-hosted mailboxes

“Microsoft-hosted mailboxes” include any mail hosted under Microsoft 365 Business, Enterprise, Government, or Education plans, and also Outlook.com or its predecessors Hotmail, MSN, and Live. All these services use Microsoft’s Exchange Server to store and manage your mail.

Earlier versions of Office/Outlook, including Outlook 2007, Outlook 2010, and Office 2013 (before SP1) won’t be able to connect. Office 2007 and Office 2010 are already out of support. Office 2013 extended support ends in April 2023.

Office 2013 users are almost certainly OK, because Service Pack 1 was released back in 2014 and the software should have updated long ago. To check, go to File | Account (Office Account in Outlook), then About. The version should be higher than 15.0.4569.1506 (most likely around 15.0.5371).

Dropping support for older Outlooks is security-related. The connection between Modern Microsoft mail and Outlook is more secure than in years past. Most of those changes have been automatic and unseen by us mere mortals.

Until now, Microsoft’s systems have accepted older, insecure logins (called “Basic Authentication”), but Redmond has decided that it’s time to drop the olden ways. The company has been warning users, especially administrators, about this change for some time.

If you’re using a Microsoft Office older than Office 2013, it really is time to upgrade. Those older releases are increasingly risky from a security point of view and now can’t even safely connect to Microsoft mailboxes. Secure mail connections are becoming the norm for non-Microsoft mail (or should be).

Any recent Outlook (2016, 2019, 2021/LTSC or 365) connects to Microsoft hosted mailboxes more securely and with one better option. Some or all the mailboxes can be synced offline but the default is only recent messages; I prefer a full sync (a backup). Click on File, Info, and then Account Settings. Choose an account then click Change. For Use Cached Exchange Mode to download email to an Outlook data file, move the slider right to All.

It’s time to consider switching to Microsoft 365 annual plans (Family or Personal) or the “perpetual license,” one-payment version of Office. That’s currently Office 2019 — but it’s about to be replaced, so this isn’t a good time to buy.

It’s better to wait until Office 2021 is released on 5 October — to get more-recent software with a few more features and a longer support time. A discount opportunity for Office 2021 may present itself if you wait a little longer.

That’s where Web-based email comes in handy. Webmail is always a great fallback position for checking your mail. All you need is a modern and up-to-date browser such as Edge, Chrome, Firefox, or Safari. Don’t use Internet Explorer!

After November 1, use a browser-based connection to your mailbox until Office 2021 is installed. Office 2021 should pick up your existing Outlook settings, but it’s always a good idea to get a backup of your Outlook data files and make a note of the current account connection settings (address, password, connection settings), just in case.

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

Peter Deegan is the author of Windows 10 for Microsoft Office Users, Microsoft 365 for Windows: Straight Talk, Eye-Catching Signs with Word, Christmas Cheer with Office, and others. He is the co-founder and editor in chief of the Office Watch site and newsletters since they started in 1996.

You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!

Like what you see in the AskWoody FREE newsletter? Become a PLUS member! As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters. Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums. The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.  Join AskWoody PLUS Today!