Why the Hell Is Windows 10 Sharing My Wifi Passwords?

Gizmodo claims that if you upgrade to Windows 10 from a previous installation (which helpfully saves all of your old Wi-Fi network passwords), Wi-Fi Sense sharing is enabled by default for all of those networks.

First, a bit of anti-scaremongering. Wi-Fi Sense was previously part of the Windows Phone operating system. As a Windows Phone user, I’ve been using both aspects of Wi-Fi Sense for almost a year on my Nokia Lumia 1520. That concern, at least, is unfounded, based on Wi-Fi Sense for Windows Phone. Sharing is caring, but Windows 10 may have pushed the sentiment a little too far.

Like a few other Windows 10 features, Wi-Fi Sense started its life on Windows Phone.

Wi-Fi Sense may not be the security risk that some critics fear, but it would still be wise to disable it during the Windows 10 setup process-at least until we know more about the security of Microsoft’s storage servers and distribution method. The exception, of course, is that if you shared your actual password with a friend, they could then use Wi-Fi Sense to share login privileges with all of their contacts. In theory, this is more convenient than connecting to Wi-Fi networks manually, while also minimizing any mobile data consumption. It seems as though what was originally a clever Windows Phone feature, which attracted praise at the time has unexpectedly morphed into one of the biggest security scares on Windows 10.

Says Microsoft’s FAQ: “The networks you share aren’t shared with your contacts’ contacts”. Wi-Fi Sense won’t work with a local account.

Microsoft says, the system works by allowing people to share Internet access without seeing each other’s passwords.

When Wi-Fi Sense is fully enabled, it shares most of your Wi-Fi access passwords with all of your Outlook.com, Skype, and Facebook contacts. “As we’ve explained several times before, not all free or open Wi-Fi networks are secure and others can be deliberately malicious”. If the network sends through a sign-up form, Wi-Fi Sense will try to fill it out for you and get you signed up, automatically accepting the terms and conditions, if required.

Does Wi-Fi Sense reveal my passwords? There might be a way to see the decrypted passkeys if you go hunting through the registry, or something along those lines, but it’s certainly not something that most people are likely to do. Corporate networks notwithstanding (and you shouldn’t share those networks with Wi-Fi Sense anyway), most people give out their Wi-Fi keys freely. It’s a pain, and most people won’t do it because they won’t even know that Windows 10 is sharing their passwords in this fashion, but it’s the only secure way forwards at the moment beyond not upgrading to Windows 10 in the first place. Security firms have repeatedly advised users to not connect to an open Wi-Fi network.

Despite the encryption, the password is bound to be stored locally on the machine which is a vulnerability in itself. Depending on Microsoft’s infosec protocols, this is either completely fine and dandy, or a potential goldmine for wardriving hackers. The app scans through a user’s Facebook account and Outlook contacts, and shares the username and password with their friends. In the end, it’s up to you whether you use Wi-Fi Sense or not. For most users, the added convenience of Wi-Fi Sense will probably win out. It can automatically connect you to public Wi-Fi networks if you provide some basic personal details about yourself. I haven’t made any changes since and it remains a pleasant surprise to find that I am connected to Wi-Fi in a new town or shop. Furthermore, not everyone you’ve exchanged emails with is a friend either. In the settings applet that pops up, click “Manage Wi-Fi settings”.

To disable Wi-Fi sense, head into Wi-Fi->Network settings->Manage Wi-Fi settings, and uncheck basically all the boxes you can see. In Microsoft’s defense, the company says that the password it shares with one’s friends is done so over an encrypted network.