Passwords in IE11

Today’s Web relies on passwords as a form of authentication, which means people have to log into a variety of different services every day. Not only is typing passwords on touch devices cumbersome, but people are creating weak passwords and using the same password for every site, making them more vulnerable to identity theft. Having a secure, reliable password manager is the best method for encouraging people to create strong, unique passwords for every site.   

With Internet Explorer 11, we’ve done work to make signing into sites faster and more reliable as well as give users more control when saving credentials.  In addition, IE11 will now roam credentials to IE11 on Windows Phone 8.1!

Password autofill with IE11 on Windows Phone 8.1
You can now save and roam passwords to IE11 on Windows Phone 8.1

Reliable Login form detection

With IE11, we’ve beefed up our login form detection which means that IE will now prompt to remember passwords on over 90% of login forms on the Web.  This is a significant improvement over previous versions of IE.

You decide if you want to save your password

We are giving control back to the user when deciding to save passwords on a given site.  IE11 will now prompt the user to save passwords even if the autocomplete=off attribute is set on login forms.  IE will continue to honor this attribute on all other form fields (e.g. username, credit card, address, name, etc.).  There are two main reasons for doing this. One is to address the user confusion around why IE won’t remember passwords on certain sites. The second is because we believe that encouraging users to create strong, unique passwords is more important than honoring the autocomplete=off attribute on forms. Users should be able to decide for themselves if it is safe to save a password on a given device and situation. 

Sign in faster

IE will save you time by automatically pre-populating your credentials after the page has loaded, when it is safe to do so. Previously, users were required to click or tap in the username field and then click or tap again to select the username to populate the password.  This presented problems on touch devices—triggering double-tap to zoom—and on sites that pre-populated usernames from cookie information. This change in Autocomplete behavior on login forms is secure, as IE will revert back to its old tap-and-select behavior when the site does not meet certain security criteria. This design is a result of our focus on keeping the user secure.

For tablet users, double-tap-to-zoom has now been disabled on input elements to address the issue where tapping and selecting an Autocomplete item triggered optical zoom. Last, to allow sites to detect when the username and passwords have been filled, IE will now fire the ‘input’ and ‘change’ events when pre-populating credentials in the form.

Sign in once, everywhere

With Windows 8.1 and Windows Phone 8.1, users don’t have to re-enter their credentials for the same domain in a Windows or Windows Phone Store app that they’ve previously saved in IE.  This significantly speeds up your sign in experience across apps and devices. In IE11, Windows will use your IE saved credentials for that same domain hosted in Store app via the Web Authentication Broker. As always, Store apps will never be able to read the credentials stored in IE.

Sharing credentials between apps and IE.
Windows will user your sign in info from IE11 for the same domain hosted in a Windows Store app

Windows Store apps using the Web Authentication Broker today will automatically get this experience with no additional markup required. And, your site and app credentials will roam between your PC and mobile devices as well.

Managing passwords

IE11 on Windows 8.1 stores credentials in the Windows Credential Locker. Web site passwords can be managed in the Credential Manager desktop control panel on Windows 8. With IE 11 on Windows 8.1, you can now also manage your Web accounts directly from the modern Internet Options. To do this from the modern IE, swipe from the right to open the Charm and tap Settings. From there, you can open your accounts and manage your credentials without switching to the desktop.

Manage credentials directly from within Internet Explorer
Managing your Web site accounts can now be done directly within the browser

And, as previously mentioned, all credentials can be roamed to all your Windows 8.1 devices.

Please try IE11 on Windows 8.1, Windows Phone 8.1 or Windows 7 to try out these new experiences for yourself! Looking forward to your feedback.

Thanks!

— Amy Adams, Senior Program Manager, Internet Explorer

Some developer notes:

In order for your site to work with IE 11’s password manager, the login form must meet the following criteria:

  • Contain both a username and password to login to a service
  • Username and password fields are encapsulated in the HTML5 form element
  • Uses HTML5 standard input types for username field that accept free-form user input
  • Uses HTML5 password input type is used for the password field
  • DOM Level 2 submit event is fired upon submission of the form and credentials are not cleared before the submit event is fired

Comments

  • Anonymous
    June 23, 2014
    Yes!! Good article, good design choices. I'm glad to see IE making these bold steps for the right reasons.

  • Anonymous
    June 23, 2014
    > This change in Autocomplete behavior on login forms is secure, as IE will revert back to its old tap-and-select behavior when the site does not meet certain security criteria. What are the "certain security criteria"?

  • Anonymous
    June 23, 2014
    Quote: "IE11 will now prompt the user to save passwords even if the autocomplete=off attribute is set on login forms.  IE will continue to honor this attribute on all other form fields (e.g. username, credit card, address, name, etc.).  There are two main reasons for doing this. One is to address the user confusion around why IE won’t remember passwords on certain sites." I think that needs some explanation. What do you mean? Do you mean IE11 will ignore any autocomplete=off attribute setting on login webforms, or do you mean IE11 will partially ignore the user's settings in Internet options Content AutoComplete Settings? If you mean IE11 will ignore any autocomplete=off attribute settings on login webforms, though respecting the user's settings in Internet options Content AutoComplete Settings, that may be okay, I guess. But if you mean IE11 will partially ignore the user's settings in Internet options Content AutoComplete Settings, and will ask to remember passwords even though the user has set not to remember passwords, that would be terrible. That would ask for an extra setting, to prevent IE asking to remember passwords. I really hope you can clarify this matter. If it is really Microsoft's plan to make IE11 partially ignore the user's settings in Internet options Content AutoComplete Settings, and ask to remember passwords even though the user has set not to remember passwords, that would be outrageous. As I said, that would ask for an extra setting, to prevent IE asking to remember passwords.

  • Anonymous
    June 23, 2014
    I agree with you, honoring that dumb autocomplete=off parameter is a bad idea from website makers who think they’re entitled to decide in users’ names.

  • Anonymous
    June 23, 2014
    Would love to know how the backend roaming security of passwords is ensured.

  • Anonymous
    June 23, 2014
    ... It's all great and stuff, but I'd still prefer a native IE12 future release for Vista and 2008 (non-R2) instead. Having them stuck with outdated IE9 is like an official invitation and red carpet for Chrome and (less so) Firefox.

  • Anonymous
    June 24, 2014
    The comment has been removed

  • Anonymous
    June 24, 2014
    Could someone tell me if any windows 8 desktop app can get access to the IE saved passwords?

  • Anonymous
    June 24, 2014
    I love this feature in the Windows Phone 8.1 update. It would be great if you guys were able to connect our Microsoft accounts to LastPass and Windows and Windows Phone are able to securely pull credentials and auto-complete info from your account. Auto-complete for forms is still a glaring omission so I hope to see that soon. Also, tabs need to sync between device more frequently. Like every time a new tab is opened, it should update so other devices can see it. Keep up the good work guys :)

  • Anonymous
    June 24, 2014
    The comment has been removed

  • Anonymous
    June 24, 2014
    Dear Louis Martinez [MSFT], Thank you very much for your reply. You  wrote: "If you've disabled "Ask me before saving passwords" then the autocomplete feature in regards to usernames and passwords is turned off and you will not get prompted to save anything." Can you tell us, please, does the same apply to the situation in which the user has disabled AutoComplete for "User names and passwords on forms"? I should think so, but it would be nice if you could confirm. Thank you very much.

  • Anonymous
    June 24, 2014
    @Spiff - "User names and passwords on forms" disables the feature completely, so you will not be prompted to store any credentials and we will not automatically populate any login information you've stored.

  • Anonymous
    June 24, 2014
    Below are the cases where we auto-populate credentials:  

  • The site must be an SSL site.
  • The site certificate must be valid and the page must not have mixed SSL and non-SSL content.
  • The login form must not be in a frame.
  • The tab must not be in inPrivate mode
  • The user must have exactly one credential stored for the site (If two or more credentials are stored for the same site, we won't auto-populate, as we wouldn't know which user is currently using the machine) In every other case, the user can double click or tap into the field to access a dropdown of credentials to use. Adhering to these rules prevents malicious sites from harvesting credentials by pretending to be a legitimate site.  Hope this clarifies things.
  • Anonymous
    June 24, 2014
    How are you detecting whether there is a "username" field ?

  • Anonymous
    June 24, 2014
    @Louis Martinez [MSFT], since you are the only person from IE team who like engaging with IE users, can you please confirm if download attribute is coming? www.w3schools.com/.../att_a_download.asp Please tell the team that its dearly wanted! Thank you

  • Anonymous
    June 24, 2014
    Dear Louis Martinez [MSFT], Thank you very much for your reply. You wrote: " "User names and passwords on forms" disables the feature completely, so you will not be prompted to store any credentials and we will not automatically populate any login information you've stored." Thank you very much, that is clear. If the user's setting in Internet options Content AutoComplete Settings AutoComplete disabled for "User names and passwords on forms" is fully respected, then there is no problem and it's fine. Thanks again for clarifying. The original article could have been a little clearer though, to prevent possible misinterpretations regarding whether the user's autocomplete settings were respected. Thanks again and best regards

  • Anonymous
    June 24, 2014
    Thanks for the info On Domain pc the IE password don't sync, it's right? There is a way to enable password sync on domain pc?

  • Anonymous
    June 24, 2014
    @OberstDanjeje - Credential syncing is indeed tied to your Microsoft Account.  There is currently no way to sync credentials on a domain joined PC.

  • Anonymous
    June 24, 2014
    The comment has been removed

  • Anonymous
    June 24, 2014
    Two quick requests:

  1. In the Accounts panel in the Modern IE Settings Charm, please consider sorting the items by URL, or in some visually identifiable order.  Currently there appears to be no rhyme or reason to the order (if there's a date factor to the order, put the date information on the display.)
  2. In the Accounts panel in the Modern IE Settings Charm, please reconsider the "soft dismiss" behavior associated with the Remove button (use case: try to remove multiple accounts from that panel.  The soft dismiss behavior makes it a less-than-ideal experience.) Thank you
  • Anonymous
    June 25, 2014
    Can you see what has happened with the twitter.com website in relation to this stuff? I don't know whether it was an IE 11 update, or a change in the Twitter site (I highly suspect the latter), but the whole "remembering user name and password" thing suddenly completely stopped working.  I now have to type everything in manually every single time I switch users or log out and want to log back in.  It's very annoying. SOMETHING changed there.  Maybe you need to get with them to get their site fixed?  Or at least investigate yourself.

  • Anonymous
    June 25, 2014
    @Cc: Good question! No, apps cannot read the passwords stored by IE.

  • Anonymous
    June 25, 2014
    @Spiff: Hopefully Louis clarified your questions. We will still honor the user autocomplete settings on login forms.   I would also like to add that other browsers (Safari, Opera, Chrome) also prompt to save passwords when the autocomplete=off attribute is set on login forms. In Safari, you have to go into the browser settings and set it to allow prompting even when autocomplete=off is set. Chrome has recently changed their behavior to match ours as well by default: groups.google.com/.../forum. In general this is a direction the browsers are moving towards as users need to have control over saving and managing their credentials for any site. As I've mentioned password managers are a great tool for encouraging users to create (and remember) strong, unique passwords for every site they log into. Hence the password manager should prompt for any site and the user should decide if they want to save the password or not. Hope that makes sense. -Amy Adams [MSFT]

  • Anonymous
    June 25, 2014
    Amy Adams wrote, "Hopefully Louis clarified your questions." Yes, thank you very much. Best regards

  • Anonymous
    June 25, 2014
    @Dave: IE on Windows 8 and Windows 8.1 users the Windows Credential Locker to roam passwords. Nothing has changed here with Windows 8.1. You can read more about Windows Credential locker and roaming here: blogs.msdn.com/.../credential-locker-your-solution-for-handling-usernames-and-passwords-in-your-windows-store-app.aspx Thanks, Amy Adams [MSFT]

  • Anonymous
    June 25, 2014
    @John Garland: Thanks for the feedback!

  • Anonymous
    June 25, 2014
    @Peter - Rest assured, many folks from the IE team actively monitor the feedback in these blogs.  To follow along about features that have been implemented or are under consideration, please check out http://status.modern.ie/.

  • Anonymous
    June 25, 2014
    The comment has been removed

  • Anonymous
    June 26, 2014
    @pmbAustin: This appears to be a site issue. Twitter sets their cookies to expire the next day (24 hours I'm guessing). I was able to stay signed into twitter until the cookie expired. I'm not sure exactly why they do that, but this appears to be by design. Thanks, Amy Adams [MSFT]

  • Anonymous
    June 26, 2014
    @OberstDanjeje - Apologies, I mis-spoke.  If your Microsoft Account is connected on a domain joined machine, your credentials can sync in, but nothing will sync back out.  Hope that clarifies things.

  • Anonymous
    June 26, 2014
    please help me to instral my internet explrore on my computre

  • Anonymous
    June 27, 2014
    Credential sync is great and very much needed, but if you want to enhance security, it's missing a major part: the ability to generate a random password when you register for a site. See Apple Safari for a good implementation of this. This is an obvious companion to syncing passwords and something done by evvery third-party password amanger for years. Also, the credential management UI (both desktop and modern) is horrible. Why is there no search function? I have to scroll down the list and read every single item, since they are not even ordered alphabetically.

  • Anonymous
    June 30, 2014
    The comment has been removed

  • Anonymous
    June 30, 2014
    @pmbAustin: I'm assuming you're talking about IE's password saving feature and not twitter's 'remember me' functionality that is tied to the cookie. Yes, I do repro this now when there is more than 1 password/account saved for twitter.com. When I click somewhere outside the form (e.g. like the 'Full Name' field in the 'New to Twitter' form below the login form) and then I go back and click in the username field, the username entries appear. And when I select one, the password is populated. Do you see the same behavior? That is odd and there is some sort of bug here. Anyway, we will investigate the issue. Thank you for reporting this! Amy Adams [MSFT]

  • Anonymous
    June 30, 2014
    @Asbjørn: Thanks for the feedback on the password managers! There's definitely room for improvements. Regarding Apple's random password generator, I've found it to not work on all sites where I need to create an account due to the sites password rules and restrictions. So, I can't always use the feature. I've found this to be true with other password generators, but especially problematic with Apple's implementation. Have you found a generator that works on all sites? Anyway, thanks again for the feedback. Amy Adams [MSFT]

  • Anonymous
    July 02, 2014
    Thanks Amy!  I hadn't noticed if I click out and then click back in, the function returns.  That's a helpful workaround.  But yes, that's exactly what I'm seeing!  And it started not too long ago... a couple of months at the most I think. Thanks for looking into it!

  • Anonymous
    July 05, 2014
    Curious to know if the stored passwords use the same or better encryption to LastPass or 1Password. Can any MSFT rep comment on the security of stored credentials and how they are transmitted across devices?