How Windows 8 helps remember passwords

Windows 8
The Windows 8 interface for managing the Credential Vault

Passwords are almost a joke these days; every site has different rules to try and force you to create a secure password, making it harder to remember – which means we're more likely to reuse the passwords we can remember.

In 2007, the average user had 25 accounts with passwords, but they only used six or seven different passwords, so each password was reused on three or four sites.

Five years on, passwords are even more likely to be reused; even if you log into more services with your Facebook or Twitter ID now, you probably have more than 25 accounts.

Windows 8 is going to help by remembering passwords used in IE10 for you (stored in a Credential Password Vault), so you can make them more complex and more secure, and it's also going to sync the credentials those passwords unlock onto every machine you use your Windows Live ID with (unless a website like your bank tells the browser not to save the credentials).

That saves you struggling to tap out a long, complex password on a tablet Microsoft Technical Fellow John Shewchuk explains. "Suppose I've logged into [a site] and now I'm running to the airport. I've got my tablet with me. And I'm loaded up with baggage, and I want to go see what's going on .Do I really want to type in with one hand on there?

Because the Windows Credential Vault, that password vault, has synchronized between all my machines, my credential has flowed from my work machine over to my tablet and I simply log in without having to enter any information."

Windows 8 Credential Vault explained

The credentials don't have to be just passwords; they could also be the complex two-part 'key pairs' of long, mathematically related numbers that you usually need separate security hardware for (like the digital key fobs with frequently changing numbers some banks and credit cards use).

These store the secret key and generate a related number that lets you prove you have access to the secret key without ever saying what it is (so it can't be phished or captured by a key logger).

So far we've needed a separate device to store the secret key securely and to show you the related number. (Secure Web sites use similar key pairs to encrypt the information to and from your PC but they're created from scratch by the browser and Web server every time you log in with your – probably insecure – password).

A lot more Windows 8 machines will have a secure Trusted Platform Module that can store the secret key, so we can finally start to switch to secure credentials instead of passwords that are easy to forget or lose (one of the key ideas in the rarely used CardSpace feature from Windows Vista).

Virtual smartcard

NO HARDWARE: This tablet has a TPM that Windows 8 uses as a virtual security token – usually you'd need a smartcard reader to log in to a work PC like this

The credentials in the vault are encrypted using your Windows account password, and then encrypted a second time before they're synced through your Live ID. That's one reason that Windows 8 will force you to make that a complex and secure password (and you can't leave it blank any more).

To make that convenient to use on a tablet you can draw a pattern on a picture to log in – and if you forget your Windows password you can reset it from another PC using your Windows Live ID, so you don't need to make a password restore USB stick any more.

You'll also have to prove your identity before you can 'trust' the PC you sync them to, by giving Windows Live a second email address or a mobile number it can text a security code to, so anyone who gets your Live ID password doesn't get all your other passwords too – Windows 8 will make you set that up the first time you use your Live ID on a PC.

You can always sign in to your Windows account, even if you can't get online – or if there's a problem with your Live ID – because Windows 8 remembers the last password you signed in with successfully (again, that's encrypted in the Password Vault).

Live secondary

TRUST ME: Verifying your Live ID with another email address and trusting Windows 8 PCs

IE10 will definitely use the Password Vault, but other browsers and apps can save credentials there says Microsoft's Sunil Gottumukkala; "The APIs for storing the passwords are available to both desktop and Metro style apps. So, any browser could provide this functionality on Windows."

Is Live ID ready to cope with millions of passwords being synced between PCs? The Windows Live team says in a recent job advert that the Cloud Directory Platform that Live ID runs on "scales to billions of transactions [and] stores billions of users, profile and their relationships". Windows Live corporate VP Chris Jones told us the Live infrastructure is "built to support over 500 million active users a month" (he also mentioned that the sync will also work from behind firewalls without problems).

But will you only get to sync credentials to another PC? If you have complex passwords, you don't want to type them in on a phone any more than you do on a tablet.

The same job advert talks about enabling "new scenarios that make Windows Live the one-stop-shop for users to connect with friends and all their social networks, more richly and immersively than ever, across their PC, browser, and phone experiences" and says "the next Wave of Windows Live [will] light up computing devices to be ever more personalized".

We'd hazard a guess that devices means phones as well as tablets. This could be the same sync of favourites, browsing history and passwords to your phone that Mozilla has with Firefox on mobiles, and with Windows Live-powered aps like OneNote and SkyDrive appearing on Android and iPhone we wouldn't be surprised to see it work for more than just Windows Phone.

The password sync is optional in Windows 8 but if Microsoft wants people to adopt it – and if IE10 is going to carry on competing with Chrome – password sync is going to have to work on multiple platforms (including phones and Windows 7).


Mary (Twitter, Google+, website) started her career at Future Publishing, saw the AOL meltdown first hand the first time around when she ran the AOL UK computing channel, and she's been a freelance tech writer for over a decade. She's used every version of Windows and Office released, and every smartphone too, but she's still looking for the perfect tablet. Yes, she really does have USB earrings.