Microsoft Edge Just Killed One Of Its Best Security Features

One of the better security features in Microsoft's default web browser, Edge, has been the Custom Primary Password, an optional master password they created to authenticate autofill information. Unfortunately, that just changed, as the Custom Primary Password was completely removed from Edge in a June 4, 2026, update, leaving only device authentication. 

Users can still use other on-device authentication methods, such as Windows Hello on Windows (PIN, facial recognition, and fingerprint scanning), Touch ID on Mac, and device passwords. Microsoft is aiming to make using the password manager in Edge both convenient and secure, but people who prefer to use the Custom Primary Password as a separate, hardware-independent form of authentication are left with options they've been actively avoiding. 

Microsoft has been at war with passwords, something that became more apparent when it made passwordless sign-in the default for Microsoft accounts. Passkeys are now front and center and more secure, as they're phishing-resistant and cannot be reused or guessed. Users who want to continue using a master password will have to rely on third-party options.

Many security experts see passwords as the weakest link in the security chain. In a press statement by NordVPN (via TechRadar Pro), Ignas Valancius, the VP of engineering, said people would rather reuse passwords across accounts or switch a letter or number to create variations when managing too many passwords, making them easy to guess for a determined hacker. Microsoft said it blocks 7,000 password-related hacking attempts a second, but the problem with the complete removal of the Custom Primary Password is that it eliminates choice and flexibility, especially for people who actually make strong, unique, and memorable passwords.

Using a master password allows power users to create a layered security setup, with Edge having its own separate authentication method that's independent of the device-based options. Now that Microsoft has reduced it to a single layer, it creates a problem, especially for those who relied on it in shared environments. Anyone who can access the device locally with a stolen PIN or device password can also access the password manager.

Furthermore, the Custom Primary Password is not dependent on hardware. Windows Hello's biometric options, although more secure, are not always reliable, which is a source of frustration for many. Fingerprint scanners can sometimes fail to read, especially if they're dirty, broken, or the person's fingers are wet. Windows Hello's facial recognition also has a quirk: it doesn't work in the dark or in low-light conditions.

People who still want to use a master password can try third-party password managers that support the feature. Good examples are Bitwarden and NordPass. They use zero-knowledge encryption, meaning that even the providers do not know what it is, protecting it from exposure in a data breach. If you forget the master password, you might be asked to use a recovery code (something only you know) or to reset your account. The latter was one of the biggest drawbacks of the Custom Primary Password in Edge — it was virtually unrecoverable.

Master passwords were designed to eliminate the risk of weak and repeated passwords. You create a single, strong, unique, and memorable password that lets you into your password vault filled with auto-generated passwords for your favorite sites. The biggest reason why the current security trends are moving away from passwords is that they're difficult to manage and highly phishable.

Luckily, vaults are also protected by multi-factor authentication and passkeys. But they can still be stolen and put other accounts where they've been reused at risk. We are entering an era in which Microsoft considers passwords a legacy authentication method, and it's hard to see others not following suit.