A new security finding reveals that Microsoft Edge stores all saved passwords in plaintext memory at launch, raising serious concerns about user safety.
Quick Summary – TLDR:
- Microsoft Edge loads all saved passwords into memory as plaintext at startup.
- Security researchers say this behavior is outdated and risky.
- Microsoft confirms the design is intentional and not considered a flaw.
- Experts warn this creates high risk in shared or enterprise environments.
What Happened?
Security researchers have discovered that Microsoft Edge decrypts and stores all saved user passwords in its process memory the moment the browser launches. This happens regardless of whether the user visits those websites during the session, exposing sensitive data unnecessarily.
How Edge Handles Passwords?
The issue came to light after detailed testing by security researcher @L1v1ng0ffTh3L4N, who examined how Chromium based browsers manage stored credentials. The findings show that Microsoft Edge behaves very differently from its competitors.
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
Instead of decrypting passwords only when needed, Edge loads the entire password vault into memory in plaintext form at startup. These credentials remain in memory for the entire browser session.
To understand how unusual this is, consider how other browsers work:
- Google Chrome decrypts passwords only on demand, such as during autofill or when a user views them manually.
- Chrome also uses App Bound Encryption, which ties decryption keys to the browser process.
- This prevents other processes from accessing sensitive data.
Edge, however, lacks these protections. Once opened, it holds all credentials in a state that can be read if someone gains access to the system memory.
Why This Is a Serious Security Risk?
This design significantly increases the attack surface for potential threats. If an attacker gains access to system memory, they can retrieve all saved credentials without needing to interact with the browser.
A simple demonstration highlights the concern. In one test, a password that was never used during a session was still found in memory using a basic search tool. This confirms that Edge exposes even unused credentials in plaintext.
The risk becomes even more severe in shared environments:
- On terminal servers or remote desktop setups, multiple users run sessions on the same machine.
- An attacker with administrative access can read memory from all active sessions.
- This allows large scale credential harvesting across multiple users.
A proof of concept demonstration showed that an attacker could extract passwords from other logged in users, even if their sessions were disconnected but still active.
This aligns with known attack techniques under credential extraction from web browsers, making it a real world threat scenario.
The Illusion of Security in the UI
One of the most confusing aspects of this issue is how Edge presents security to users.
The browser still requires authentication, such as a PIN or Windows Hello, before showing saved passwords in its interface. On the surface, this suggests strong protection.
However, in reality:
- All passwords are already available in plaintext in memory.
- The authentication prompt only restricts UI access, not actual data exposure.
- Anyone with the ability to read process memory can bypass this completely.
This creates what researchers describe as a false sense of security.
Microsoft’s Response and Industry Reaction
The issue was disclosed on April 29 at the BigBiteOfTech conference by Palo Alto Networks Norway. Alongside the disclosure, researchers released a small verification tool that allows users to check whether their passwords are exposed in memory.
Microsoft responded by stating that this behavior is “by design”. The company also notes in its documentation that memory access under local attack conditions falls outside its threat model.
Security experts, however, strongly disagree with this stance. They argue that modern security practices require credentials to be decrypted only when needed and cleared quickly from memory.
The current approach used by Edge is widely seen as outdated and not aligned with current standards for protecting sensitive data.
What Users Should Do Now?
Until changes are made, cybersecurity professionals are advising caution, especially for enterprise users.
Recommended steps include:
- Avoid storing sensitive passwords directly in Microsoft Edge.
- Use dedicated password managers that support on demand decryption.
- Be extra cautious in shared or multi user environments.
- Monitor systems for unusual memory access activity.
Organizations running virtual desktops or shared systems should treat this as a high priority risk.
SQ Magazine Takeaway
I find this situation quite concerning. A browser handling sensitive data like passwords should follow the highest security standards, not lag behind them. The fact that all credentials sit in memory in plaintext from the moment Edge starts feels like an unnecessary risk. Even more worrying is that this is considered intentional. For me, this makes it hard to trust Edge as a secure place to store passwords, especially in work environments.
