Do you trust Microsoft with all your passwords?

If you are using Windows 8.1, Windows Phone 8.1, or Xbox One; the answer to the title is likely a resounding “yes”. The real question is whether you even knew about it and whether you consent to it now that you do.

You’ve given your consent to and acknowledged understanding of the Windows 8.1 Privacy Statement[1] during installation or first start-up. Hidden away in the middle of the 26 700 words long document is the following:

If you choose to sign in to Windows with a Microsoft account, Windows syncs certain settings with Microsoft servers. These settings include:

  • Saved app, website, and network passwords” [2]

A “Microsoft account” is required to download free and paid apps, access documents and files saved in OneDrive, use Xbox services (on Windows too), and so on. This is a single sign-in feature Microsoft has been pushing for years. During the first-run start-up of a new computer, Microsoft makes it much easier to sign-up for or log-in to a Microsoft account than to create and login with a local account. It takes a fair bit of clicking around to discover the hidden button to create a local account. Users are thus encouraged to sign-in with this account type. It was first used to login to your local computer in Windows 8.

If you’ve logged in to the Netflix or Twitter apps, Microsoft now has those passwords. If you’ve logged in to and saved your bank and Facebook passwords in Internet Explorer, Microsoft now has those passwords too.

To assure the tiny fraction of users who’ve read the privacy policy that this is safe, Microsoft goes on to say: To help protect your privacy, all synced settings are sent encrypted via SSL. Microsoft doesn’t share any details about how this information is secured on its servers. It could be stored in plain-text, ready for extraction by law enforcement or other external hackers. All other hosted password manager solutions make it very clear that they take the security of your passwords while in their care very seriously. Microsoft on the other hand, doesn’t spend a single paragraph anywhere in its privacy policy to calm these fears. Anyone with access to your Microsoft account can also access this data freely.

The convenience factor of the feature is very convincing. When getting a new computer, all apps would be redownloaded and retain their settings and even their login state. Who wants to spend time entering passwords on a phone or gaming console when it could all be set up automatically?

This behavior is enabled by default. Users can opt-out of this feature by disabling the setting PC Settings: OneDrive: Sync settings: Other settings: Passwords. Even after disabling this setting, any non-synced settings — including passwords — will still be backed up to Microsoft’s servers. You also have to disable the PC Settings: OneDrive: Sync settings: Back up settings: Back up your settings for this PC setting. Both of these settings are reset and enabled by default when you upgrade from Windows 8 to 8.1. This again goes back to whether you trust Microsoft to do the right thing, to choose the right default, or not. Signing-on on a new device will also turn everything back on by default.

Considering how Microsoft arbitrarily decides its in the user’s best interest to change their settings back to the default: you can’t have any kind of sensitive information on your computer in a Windows account that uses a Microsoft account for login. To preserve privacy, and for added security, I use more than one account on my computers.