Microsoft Edge Keeps Every Saved Password in Cleartext Memory — And Microsoft Says It's "By Design"

What Happened

On April 29, 2026, security researcher Tom Jøran Sønstebyseter Rønning (known as @L1v1ng0ffTh3L4N) presented a finding at BigBiteOfTech alongside Palo Alto Networks Norway that should concern every Edge user: Microsoft Edge decrypts your entire saved password vault into plaintext process memory the moment the browser launches — and keeps it there for the entire session, even if you never visit any of those sites.

The researcher systematically tested every major Chromium-based browser. Edge was the only one that exhibited this behavior.

When responsibly disclosed to Microsoft, the company's response was that this is "by design."

How It Works

When you open Microsoft Edge, the browser immediately decrypts every credential stored in its password manager and loads them into the browser's process memory as cleartext. This includes usernames and passwords for every site you've ever saved credentials for — your bank, your email, your social media, your work tools — all of it, sitting in readable plaintext in RAM.

This happens regardless of whether you visit any of those sites during your session. The passwords stay exposed in memory until you close the browser.

The Irony: A Re-Auth Gate That Protects Nothing

Here's the contradictory part. Edge still prompts you to re-authenticate (Windows Hello, PIN, etc.) before it will show you passwords in the Password Manager UI. So the browser creates the illusion of access control — you think your passwords are locked until you prove your identity.

But behind the scenes, the browser process already has every single credential in plaintext. Anyone (or any program) that can read process memory bypasses that re-authentication completely. The gate is cosmetic.

How Chrome Does It Differently

Google Chrome, which shares the same Chromium codebase, takes a fundamentally different approach:

• On-demand decryption: Chrome only decrypts a credential at the exact moment it's needed — during autofill or when you explicitly view a saved password.
• App-Bound Encryption (ABE): Chrome cryptographically binds decryption keys to an authenticated Chrome process. Other processes on the same machine cannot reuse those keys to extract credentials.

Edge implements neither of these protections.

Why This Is Dangerous — Especially in Enterprise

For a solo user on a personal laptop, the risk requires local access — malware running on your machine or someone physically at your keyboard. That's not trivial, but it's also not rare. Any infostealer malware running under your user account gets a free pass to every password you've ever saved, in one memory dump.

The real nightmare scenario is shared environments: Remote Desktop Services (RDS), terminal servers, VDI deployments, or any multi-user Windows system. In the researcher's proof-of-concept demonstration, a compromised administrator account was used to extract stored credentials from two other logged-on users — including users with disconnected but still active sessions — simply by reading their Edge browser process memory.

One compromised admin account = full credential harvest across every user on that server. This maps directly to MITRE ATT&CK T1555.003 — Credentials from Web Browsers.

Microsoft's Response

Microsoft's existing documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, but categorizes these scenarios as outside the browser's threat model. Their public documentation states that for most threat models, using the Edge password manager is the recommended option — but that guidance predates this disclosure.

No updated guidance has been published as of the time of writing.

What You Should Do

1. Stop using Edge's built-in password manager for sensitive credentials. Migrate to a dedicated password manager like Bitwarden or 1Password that uses zero-knowledge encryption and a master password. These tools decrypt credentials individually and on-demand.

2. If you must stay on Edge's password manager, enable "Require authentication before autofill" in Edge settings (edge://settings/passwords). This won't fix the underlying memory issue, but it adds a layer against casual credential use.

3. Enterprise admins: Treat this as a high-priority configuration risk. If you're running terminal servers, VDI, or any shared Windows environment with Edge deployed, consider migrating users to Chrome or a browser with on-demand decryption and App-Bound Encryption.

4. Keep your system clean. Since exploitation requires local access, standard hygiene — keeping your OS patched, avoiding untrusted software, running endpoint protection — reduces (but does not eliminate) the risk.

The Bigger Picture

The fact that Edge is the only Chromium browser doing this is what makes it notable. This isn't a fundamental limitation of browser password managers — Chrome proved that with ABE and on-demand decryption. This is a design choice Microsoft made, and one they've explicitly chosen to defend rather than fix.

For users who save passwords in Edge, every credential is one memory dump away from exposure, for the entire duration of every browsing session, whether you use those sites or not. That's an unnecessarily wide attack surface with no user-facing benefit.

Sources

• Cyber Security News — Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch
• PPC Land — Microsoft Edge Keeps Every Saved Password in Cleartext Memory at Launch
• Proof-of-Concept Tool — EdgeSavedPasswordsDumper (GitHub)
• Researcher's Video Demonstration on X (@L1v1ng0ffTh3L4N)
• Microsoft Learn — Edge Password Manager Security
• MITRE ATT&CK T1555.003 — Credentials from Web Browsers