Microsoft to include a password manager in Office 365 Personal and Home in spring of 2020

[captain_to_fire]

I'm surprised no one has made a thread about this yet, but here it goes and it has been a while since I made one of these.

 

Sources:

The Verge, ZDNet

 

Quote

Microsoft has been leading up to launching a consumer version of its Microsoft 365 subscription for months. The Verge originally revealed that the company was planning a “for life” version of its Teams software earlier this year, and now ZDNet reports that the Microsoft 365 consumer subscription is currently named “M365 Life.”

 

These subscriptions will reportedly largely be a rebranding of what is currently known as Office 365 Personal and Home, but ZDNet claims a password manager will also be bundled. This will be particular useful for consumers, especially when Microsoft recently discovered that 44 million Microsoft Accounts have passwords that have been reused and leaked in various databases of 3 billion passwords.

To be honest, I'm actually expecting Microsoft to bundle a password manager to Office 365 to justify the price. I don't know why would it take so long to make one when they have a massive development team inside. Nonetheless, I hope it has the essentials of a password manager similar to what I use which is Dashlane.

• AES-256 bit encryption both in transit and at rest (just like Dashlane [1] [2])
• support for biometric authentication (fingerprint/face)
• PBKDF2 or Argon2d key derivation
• support for 2FA codes and FIDO U2F security key
• cross platform supprt (Windows, Mac, iOS, Android)
• a separate master password which is different with your Microsoft account
• a bug bounty

Considering the breaches that LastPass had, this might be a better alternative and to finally make people realize that reusing passwords is not secure and quite dangerous. In fact, Microsoft's own security report showed that 44 million of Azure and Microsoft accounts have been breached due to reusing of passwords. 

Quote

According to a 2018 study of nearly 30 million users and their passwords, password reuse and modifications were common for 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses. This behavior puts users at risk of being victims of a breach replay attack.

 

As you can see on the right, so far, in 2019* the threat research team checked over 3 billion credentials and found a match for over 44 million Azure AD and Microsoft Services Accounts. For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced.

I think this is probably the reason why for Office 365 subscribers, there's now a personal vault option that Microsoft claims to add an additional security layer to sensitive files saved to OneDrive by adding a PIN or biometric authentication. 

 

Sure, one might bring up Microsoft's privacy woes and that might be a valid reason not to use O365's upcoming password manager but I think that not using one and simply reusing passwords is worse. But for me personally, I'm liking Dashlane at the moment and I will keep it as my password manager.

Edited December 7, 2019 by captain_to_fire

[Arika]

Regardless of if it get's used or not, at a minimum it might at least make people THINK about using it or thinking about how many accounts use the same password

[jagdtigger]

38 minutes ago, Arika S said:

make people THINK

They wont, they are just too lazy and "have nothing to hide" so they will keep on using the same generic password everywhere.

[Doobeedoo]

Neat though. Even though it's part of subscription model, which I'm not fond of. They still offer regular non sub package at least. 

[dalekphalm]

I may switch to this, if there’s a way to import existing passwords. 
 

I manage all my passwords manually. It works well since I can copy and paste them when needed, but it’s a bitch to manage, and occasionally annoying to use. 

[captain_to_fire]

6 hours ago, dalekphalm said:

I may switch to this, if there’s a way to import existing passwords. 
 

I manage all my passwords manually. It works well since I can copy and paste them when needed, but it’s a bitch to manage, and occasionally annoying to use. 

Most password managers have an import/export feature via a .csv file. You don’t even have to copy/paste passwords since password managers autofill entries for you. My bank for instance doesn’t allow copy/pasting of passwords and that’s where a password manager is handy. 

[LAwLz]

Sounds terrible. It seems like it will have a lot of the stuff I hate about some other password managers. Things like a monthly cost, being closed source, the vault file being stored on servers you have no control over, and possibly other bad things.

 

 

7 hours ago, dalekphalm said:

I may switch to this, if there’s a way to import existing passwords. 
 

I manage all my passwords manually. It works well since I can copy and paste them when needed, but it’s a bitch to manage, and occasionally annoying to use. 

I'd recommend KeePass instead of this though.

Benefits of Keepass:

1) Does not sync to an online server unless you set it up with something like Dropbox, Google drive or OneDrive. It means you are in more control over the vault file.

2) It's open source, so it's much less likely that it's backdoored, and backdooring is something Microsoft has consistently done with their previous encryption functions and services.

3) It's free to use, unlike this which is a subscription service. We don't know how it works yet, but it might be so bad that you can get cut off from your password vault (and thus all your accounts) if you fail to pay the bill for some reason (auto renew maybe fails, or you cancel the service accidentally, etc).

 

If you use this service, then you should only do so fully knowing that you are probably handing over all your passwords to Microsoft as well as any other company/organization they feel like sharing it with (or are forced to share it with by law).

[vanished]

10 hours ago, captain_to_fire said:

[...] To be honest, I'm actually expecting Microsoft to bundle a password manager to Office 365 to justify the price.  [...]

I don't really understand this statement.  After checking just now since my knowledge was a few years old, the pricing for some popular providers breaks down as follows: (All prices for Canada and in CAD)

• Google is $70 / year / TB (min plan >= 1 TB is 2 TB, paid yearly)
• Apple is $78 / year / TB (min plan >= 1 TB is 2 TB, paid monthly)
• OneDrive is $80 / year / TB (min plan >= 1 TB is 1 TB, paid yearly)
• Amazon is $125 / year / TB (min plan >= 1 TB is 1 TB, paid yearly)

Plus Microsoft's offering also of course includes the entire Office suite (Word, Powerpoint, etc.), not just cloud storage like the others, so in my opinion the price is already quite fair.  Additionally, I don't think the inclusion of a password manager is significant enough to make any meaningful impact to the overall value considering how many excellent free options already exist on the market.

[dalekphalm]

2 hours ago, captain_to_fire said:

Most password managers have an import/export feature via a .csv file. You don’t even have to copy/paste passwords since password managers autofill entries for you. My bank for instance doesn’t allow copy/pasting of passwords and that’s where a password manager is handy. 

Hmm cool. I will need to format a file though as it’s not stored as a csv. 

2 hours ago, LAwLz said:

Sounds terrible. It seems like it will have a lot of the stuff I hate about some other password managers. Things like a monthly cost, being closed source, the vault file being stored on servers you have no control over, and possibly other bad things.

 

 

I'd recommend KeePass instead of this though.

Benefits of Keepass:

1) Does not sync to an online server unless you set it up with something like Dropbox, Google drive or OneDrive. It means you are in more control over the vault file.

2) It's open source, so it's much less likely that it's backdoored, and backdooring is something Microsoft has consistently done with their previous encryption functions and services.

3) It's free to use, unlike this which is a subscription service. We don't know how it works yet, but it might be so bad that you can get cut off from your password vault (and thus all your accounts) if you fail to pay the bill for some reason (auto renew maybe fails, or you cancel the service accidentally, etc).

 

If you use this service, then you should only do so fully knowing that you are probably handing over all your passwords to Microsoft as well as any other company/organization they feel like sharing it with (or are forced to share it with by law).

I already pay for and use Office 365 w/ 1TB of storage. 

[captain_to_fire]

1 hour ago, dalekphalm said:

Hmm cool. I will need to format a file though as it’s not stored as a csv. 

The import/export feature works only between password managers. Let's say I previously use LastPass but decided to use Dashlane, I can export all of my passwords from LastPass via a .csv file, then all I have to do is upload the said .csv file to Dashlane.

 

Do you manually store your passwords? I hope you don't. 

[captain_to_fire]

3 hours ago, Ryan_Vickers said:

Additionally, I don't think the inclusion of a password manager is significant enough to make any meaningful impact to the overall value considering how many excellent free options already exist on the market.

Most of the "free" password managers that I know is only free on one platform and is only stored locally and can only save a limited amount of entries. It reminds me of Enpass

Quote

 

. While you have the freedom to pick which cloud service to sync your passwords with, you still have to pay a one time fee for that platform, let's say Android or iOS. 

[vanished]

25 minutes ago, captain_to_fire said:

Most of the "free" password managers that I know is only free on one platform and is only stored locally and can only save a limited amount of entries. It reminds me of Enpass

. While you have the freedom to pick which cloud service to sync your passwords with, you still have to pay a one time fee for that platform, let's say Android or iOS. 

I still don't think that's enough to push the whole package from not worth the price to worth it, but I guess to each their own, and I'm more interested in the usefulness of this anyway.  It does sound like it would be a good service if it can do all of that and if in fact others often have those limitations (though I must say I've looked into 2 popular options before and didn't notice these shortcomings with either).  Possibly relevant: they added a feature to their authenticator app a while back (same as google authenticator, etc - 2fa for your accounts added with a QR scan) that apparently will allow you to sync the configured accounts to the cloud so that installing the app on a new device will automatically allow you to continue "where you left off" with all of your other accounts, instead of having to reconfigure 2fa on all of them.  I've not tried this myself, but it would obviously synergize well with a password manager.

[Arika]

4 hours ago, LAwLz said:

Sounds terrible. It seems like it will have a lot of the stuff I hate about some other password managers. Things like a monthly cost, being closed source, the vault file being stored on servers you have no control over, and possibly other bad things.

They better give the ability to export passwords if you end the subscription otherwise you no longer have access to any stored passwords. this is why i dont like "x as a service" if they change their terms, close up shop, no longer offer said service, you've just lost what ever you've paid for.

[amdorintel]

my pw is p@$$w0rd its great because it includes symbols and numbers and letters

[dalekphalm]

10 hours ago, captain_to_fire said:

The import/export feature works only between password managers. Let's say I previously use LastPass but decided to use Dashlane, I can export all of my passwords from LastPass via a .csv file, then all I have to do is upload the said .csv file to Dashlane.

 

Do you manually store your passwords? I hope you don't. 

I manually store my passwords, yes. I needed a system and could never settle on a password manager. Especially in the early days, a lot of them had limitations that were deal breakers. And additionally, when I was using Windows Phone, there were almost no options even available on the platform. 
 

As long as I can manually enter them one at a time, it’s not an insurmountable task. It would

probably be faster than converting my passwords into a CSV.