Universal Password Storage in Windows 8

| by Jonathan Allen Follow 465 Followers on Dec 16, 2011. Estimated reading time: 1 minute |

A note to our readers: You asked so we have developed a set of features that allow you to reduce the noise: you can get email and web notifications for topics you are interested in. Learn more about our new features.

For most users the only form of credential management is password saving in a web browser. This often leads to an unsatisfactory experience, as the passwords are actually stored on a pre-browser, per-computer basis. Without additional software one cannot share accounts between IE and Firefox or their work and home computer.

Under Windows 8 your Windows Live account becomes your master password. With it one can access any other password from any Windows 8 machine that is marked as “trusted” by the user. While Windows will generally enter the password for you, it can be viewed using the “Manage you credentials” screen.

Since this makes losing one’s Windows Live password a huge security risk Microsoft is recommending users disable the normal password recovery system. Instead they can use a secondary email address or a cell phone for password recovery, but those too pose a risk.

For the application developer this new ecosystem offers some interesting prospects. Windows 8 credential storage offers an API for both traditional and Metro style applications. That means developers are no longer responsible for securing locally stored passwords and benefit from cross-machine replication.

The entry point for the API is the PasswordVault class. From here one can get a list of resources by username or usernames by resource. A resource is just a string which may represent something like a URL or application ID. Each resource/username pair may have a single password associated with it.

There are a few questions still unanswered:

  • Will all applications have access to the same repository of passwords, or do they each get their own?
  • If it is shared, how will Windows prevent a rogue application from stealing every password in one go?
  • If it isn’t shared, how will Windows differentiate one application from another?

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you