Does Windows 8 pull wifi keys from the cloud? RRS feed

  • Question

  • I came home from work with a new surface tablet yesterday and without having to enter a key, my wifi was connected.  I use a WPA2 protected network at home, and without entering a key, I shouldn't be able to connect to it.  Is there a setting somewhere that allows this information to be stored in the cloud?  If so, how do I turn it off?

    I'd really hate having a device stolen and suddenly someone has access to all my wifi keys, especially because I use my laptop to connect to several networks, and if I sign into a device it'd be easy for someone to connect to a network.  I've found the lock time to require a password is very hit and miss so far, so this can potentially be a security risk.

    I would think that all of my passwords that I've saved in IE or other venues would be safe, but since they are apparently being sent up to the cloud, if a device doesn't lock consistently it'd be rather easy for someone to connect to networks that I may not want them to.

    Saturday, October 27, 2012 7:59 PM


  • Yes, Windows now roams WiFi passwords with your Microsoft Account.  This is controlled in the PC Settings > Sync your settings panel.  You can disable the roaming of passwords.

    Note that toggling this setting won't protect you in the "stolen laptop" situation, since if Windows is configured to automatically connect to a network, the network credential is still saved on on the laptop.  If the computer is still logged-in, then the bad guy can just dump out all keys with a few commands.  This is no different from Windows 7, where a couple PowerShell commands can dump all your saved passwords.

    However, all Windows RT devices, like your new Surface RT, support secure passwords and encrypt the hard drive.  Therefore, a bad guy won't be able to read the key off the hard drive, if the computer is turned off or locked.

    Instead, toggling this setting would protect you if somebody gains unauthorized access to your Microsoft Account, and the bad guy can answer your account's security questions.  A Windows PC cannot receive any of your roamed settings until you've "confirmed" that PC is truly in your hands.  Confirmation requires more than just the account password -- you must also authorize the new PC from a pre-existing PC or phone.

    So actually the threat is less than it might seem, since the bad guy has to either:

    • steal your PC while your PC is currently logged into your account (exact same threat as Windows 7 or other operating systems), or
    • steal your Microsoft Account and password, and also steal your cellphone so he can authorize his PC to receive your roamed passwords

    And of course, if you're not comfortable with this, just disable the roaming setting.

    Tuesday, October 30, 2012 2:58 AM