Windows Password Manager: Top 5 Security Tips for Browsers

Windows Password Managers weren’t always popular. It wasn’t too long ago that Windows password managers were discouraged by cybersecurity professionals. That thinking has changed over the past several years, however. That’s because the world is a lot more complicated now. According to a recent Harris Poll, the average American has 27 online accounts that require a password. Unfortunately, two-thirds of people use the same password for all of them. Twenty-seven is a conservative estimate, by the way. Other studies show that people have to up to 100 passwords to remember.

Since data breaches have become commonplace today, once a set of credentials is in the possession of a hacker, it is then used to access other sites. A compromised online account takes on a life of its own on the dark web, distributed and sold on numerous lists for years. Holding on to a “one-stop-shop” credential can have dire consequences. As a result, users are now encouraged to have a unique password for each and every online account using a complex password. Of course, that requires everyone to remember and manage a large number of passwords, which isn’t feasible for most people. That’s where password managers come in to play. A password manager retains the unique password for every online account by filling in the credential boxes automatically. In the sections below, we’ll discuss the options you have for managing passwords.

Tip #1: Check Out Windows Password Manager Options

There are two primary options for Windows password managers.

Windows Password Manager Option 1

The first passsword manager option is a centralized and cloud-based password manager. One example is Microsoft Authenticator which is installed on your smartphone as a mobile app.

Windows Password Manager Option 2

Another alternative is the internal password manager within your local browser. System admins can enable or disable this function within all of the major browsers through either Microsoft Group Policy or an MDM solution such as Microsoft Endpoint Manager. The screenshot below shows how to disable the password manager in Google Chrome Group Policy.

Tip #2: Consider the Limitations of Microsoft Group Policy

The problem with Group Policy is that it only applies to domain-joined computers. What’s more, the task of managing settings for mobile computers is challenging at best with Group Policy in the new era of remote work. This is why many organizations use an MDM solution to deliver settings to mobile machines. The screenshot below shows a configuration policy being created to enable the password manager in Microsoft Edge using Endpoint Manager.

Tip #3: Don’t Forget MDM-joined Machines

However, that means you need two management systems and two policies to cover both. One for on-premise domain-joined desktops and another for MDM-joined machines. When it comes to remote machines that are not MDM-joined, however, you are out of luck.

Tip #4: Remember Multi-Browser Environments

Unfortunately, the complexity concerning password managers is much greater than this, as many users operate within multiple browser environments. This means that a user could try to access a site with a different browser than the one in which they have stored their password. In this case, users must remember which browser password manager retains which online accounts. That’s almost as challenging as remembering multiple passwords. Of course, you could duplicate these efforts across all browsers, but that also expands the attack surface of your user’s desktop environments, not to mention creates more policies for admins to maintain. If only there were an easy and secure way to manage passwords.

Tip #5 Take Control of Local Password Managers

There is an easier way to manage passwords, and it doesn’t involve everyone using the exact same browser. PolicyPak is a modern desktop management system for the “anywhere workforce” today that gives you the super-admin powers you need to not only take control of all browser password managers but to control which browser your users use for their online accounts. Let’s look at this with an example in which we want users to use the Edge browser as their exclusive local password manager.
PolicyPak Admin Templates Manager lets you manage and deliver all ADMX template settings for all major browsers. Besides working with the same ADMX settings used with Group Policy and Endpoint Manager, all of the PolicyPak editors are built inside the Group Policy Management Editor that admins are already familiar with. In the screenshot below, we are enabling the local password manager of Edge in the same way you would using Group Policy. The difference is that your managed desktops don’t have to be domain-joined.

Now let’s disable the AutoComplete for forms setting for IE, as shown in the image below.

Then we will disable the auto-complete feature for usernames and passwords, as shown in the image below. Notice that all three ADMX settings are being stored within a single policy.

You can watch a video demonstration showing how to deliver group policy admin template settings over the internet using PolicyPak Cloud.
You can manage Mozilla Firefox and Google Chrome using PolicyPak Admin Templates Manager, but you can use PolicyPak Applications Manager to do so as well, giving you some additional management features. With PolicyPak Applications Manager, you can manage and enforce settings for several hundred of the most popular business applications on the market. The screenshot below shows us creating a new policy for Mozilla Firefox.

Now let’s uncheck the password feature within Firefox, as shown in the image below. Then we can choose whether we want to deliver this setting continually or just one time. We can have the setting revert should the policy fall out of scope as well as perform ACL lockdown, which denies those with local admin rights the ability to override the desired settings using the local registry.

You can watch a video demonstration showing how to manage and enforce settings for Firefox and other enterprise applications.
Now let’s use PolicyPak Applications Manager to deny access to the Google Chrome password manager as well, as shown in the image below.

All of this is great, but is of little benefit, if users can constantly change browsers. With PolicyPak Browser Router, you can end the default browser wars once and for all and enforce a final winner. In the screenshot below we are creating a default browser policy using PolicyPak Browser Router.

Now let’s set Edge as the absolute default winner, as shown in the image below.

Not only will users no longer be prompted for a default browser selection ever again, if a user opens a browser other than Edge to view a site, PolicyPak will terminate that browser session and reopen it using Edge.

Now let’s take this one step further. Not every website is optimized for Edge. The fact is that some sites work better in certain browsers. What if we want to make Firefox or Chrome the default browser, but then force all sites that require Windows password manager to open in Edge or vice versa?
This is not a problem. All you need to do is make your desired browser the default browser, and then create a policy to open all other required sites in Edge. Again, users will be forced to use Edge for any site designated within the policy. In the example below, we have a policy created for www.bankusa.com.

You can watch a video demonstration showing how to control browser choice for your users in multi-browser environments.
PolicyPak and Security

While modern enterprises are growing increasing complex, security management can still be simple. PolicyPak gives you the policy-level integrations that make IT governance predictable and reliable using existing system interfaces you already know. If you want to learn more about our security offerings, check out PolicyPak Least Privilege Manager, which can completely lock down your enterprise desktops from ransomware and zero-day threats.