Microsoft is launching a new anti-phishing measure which will issue a warning to users when they paste their system credentials into documents and websites.
The new feature, available now in preview is part of the Windows 11 Enhanced Phishing Protection, which was released with Windows 11 version 22H2, and is meant to protect your Windows and Active Directory passwords from falling into the wrong hands.
Malware and phishing campaigns can be used to acquire an organization’s log in details and deal all sorts of damage, from stealing sensitive data to sell on the dark web, to gaining insights into business partners and spread their attack further.
Enhanced Phishing Protection
Initially, the Enhanced Phishing Protection only warned users when they manually typed their password into a document or website, but since many use password managers to store their credentials, they are able to copy and paste them instead.
However, with the Windows Insider Preview Build 23506, copying and pasting your Windows password is now detected. In the build’s release notes, Microsoft says that, “We are trying out a change starting with this build where users… will see a UI warning on unsafe password copy and paste, just as they currently see when they type in their password.”
To enable the feature, users of the preview build need to navigate to Windows Security under App & browser control > Reputation-based protection > Phishing protection and enable all checkboxes.
When you then copy and paste your Windows password into a website, a dialog box will appear warning you of the dangers of password reuse, and recommend that you change your local Windows account password with link to take you straight to the settings to do this. Or, you can choose to dismiss the warning.
BleepingComputer notes, however, that the feature does not appear to work when the password is pasted into certain third-party applications, such as Notepad2 and Notepad++, which may be commonly used to insert credentials.
The warning also does not work if you are using the company’s passwordless login feature, Windows Hello, where biometrics or a PIN are used to grant you access instead. A password must be used to login to Windows so that it is stored in the system memory and therefore referenced against pasted text.