Sorry this is about 2 years later, but I thought I'd go ahead and answer this more completely, since the page showed up repeatedly during my research into the same question.
Edge stores passwords using the Windows Credential Locker Service. This service supports multiple types of encryption; some less secure than others. Access to the service is controlled by the local Windows user account management. It can also be tied to Active Directory account management, and/or to an online "Microsoft Account" (what they used to call a "Windows LiveID account"). There is now a lot written about this service that can be looked up online.
This ties Edge together deeply with the rest of Windows. IMHO, this increases the vulnerable "cross-section" of the system that is exposed to an attacker. So you might want to continue avoiding Edge's password manager... or, in fact, any browser's built-in password manager.
Here's the advise I wrote in another forum...
To stay safe, a key principle you should follow is
defense in depth. An example might serve to clearly illustrate the concept. Imagine a VIP (perhaps a head of state) who is going to a private meeting. Not only will s/he travel in an armored limosine; s/he will also take
multiple safety measures: traveling in a convoy of identical cars so an attacker has to guess which car (or else attack all of them), traveling with trusted bodyguards, sending out decoy convoys, altering the travel path, keeping the meeting place and time secret, et cetera ad infinitum. These multiple measures are the heart of
defense in depth.
Now, how to apply this to Microsoft Edge, or to any other browser or application?
Store your passwords somewhere else. An attacker’s scripts can most certainly determine which browser they’re running on. If they can determine that, they can tailor their attack to that browser’s vulnerabilities. And Edge is intimately integrated into Windows — and only the more recent versions — which narrows down how much an attacker has to learn about the environment that Edge exists in.
To improve your security, use a
separate password manager application that stores your passwords in an encrypted form. Note that this is a case where “free is better.” Don’t buy a password manager; use an Open Source one. Why? Open Source means anyone can look at the source code to the program.
This actually improves security. Even if you cannot read programs or create them yourself, it improves your ability to trust the software if you know that
many other people (who share your concerns for security) have looked through the code and deemed it safe enough for their own use: no “backdoors” and no fundamental cryptological mistakes.
Cryptography is difficult, and even more difficult to “get it right.” If you use a purchased program, you are taking the vendor’s word for it that they did the job correctly so that there are no vulnerabilities they missed. If you use an Open Source program, you have more confidence that people other than the authors have scrutinized the code.
Some Additional Advice - Don’t use a password manager that can automatically, without your intervention, log you into websites you visit. (Or if you decide on a manager that you really like, but it has this feature, turn it off and don’t use it.) Anything a program can do for you, can be used against you by a clever attacker.
- Don’t leave the program running all the time. But don’t start it and shut it down so frequently that you’re tempted to weaken your master password. (Or also giving others more chances to see you type it in.)
- Use the auto-locking feature, if it has one. Set it to an interval that is a happy medium (see #2).
- Clear the clipboard right after using it to paste a password or other sensitive information. Your password manager should have such a feature. If it doesn’t, find a different one.
I personally use “Password Safe,” originally written by Dr. Bruce Schneier, a noted security and cryptography expert. He turned it over to an Open Source team that has maintained it for many years (as noted at
Schneier on Security). You can download it at (
Password Safe) (h t t p s : // p w s a f e . o r g /) Be careful not to download it from other sources: there are many poor substitutes (some commercial, some free) that have tried to capitalize on this program’s reputation by naming their software similarly or even identically.
As with anything security related, don’t take any one person’s word for it… including my own. Do some research on your own to determine whether something is good or not!