Microsoft Edge passwords plaintext storage in process memory has been a quietly dangerous reality for users of the world's second most popular desktop browser - and when a security researcher published proof, Microsoft's initial response was that the behavior is "by design." The company has since reversed course under public pressure, announcing that Edge 148 will change how credentials are handled in memory. The episode is a significant reminder that browser-integrated password management is not the secure vault most users assume it to be.
What Edge Was Doing With Your Passwords
Security researcher Tom Jøran Rønning published a proof-of-concept demonstrating that Microsoft Edge decrypts your entire saved-password store on startup and keeps every single credential in process memory as cleartext - for the full duration of your browsing session, whether or not you ever visit those sites or autofill those passwords.
This is not how other Chromium-based browsers handle the same data. Chrome, for example, only loads a password into memory in plaintext at the moment a user explicitly requests to view it in the password manager or when autofill is triggered for that specific credential. Edge was doing the opposite: decrypting everything at once and leaving it all sitting in RAM.
The practical consequence: any process running with administrator privileges on your machine - malware, a compromised application, or a remote attacker with elevated access - could read all your saved passwords by scanning Edge's process memory. No need to crack encryption. No need to access the disk. Just read what Edge already decoded for you.
Microsoft's "By Design" Defense - and the Backtrack
When Rønning's findings went public, Microsoft's initial response was that the plaintext memory behavior is a deliberate design decision. The company's reasoning: this approach speeds up autofill and sign-in, and reading another process's memory already requires a compromised machine or elevated access - a scenario Microsoft considers out of scope for browser-level security.
That argument did not survive public scrutiny. The "already compromised machine" logic, sometimes called "assume breach minimization," is precisely the reason security research exists: once attackers are on your machine, minimizing what they can harvest matters enormously. Leaving every saved password decrypted in RAM for the entire session is the opposite of damage control.
Under pressure from the security community, Microsoft reversed its position. Starting with Edge version 148, the browser will no longer preload all stored passwords into memory in unencrypted form. Credentials will instead follow the same model as Chrome: only loaded into memory in cleartext when actually needed.
Why This Is Worse Than Microsoft Admitted
The "you need admin access anyway" argument misses several real-world attack scenarios where plaintext passwords in RAM represent a meaningful additional risk:
- Memory scraping malware: Credential stealers routinely scan browser process memory. Edge's design made this trivially easy - no decryption work required.
- Cross-process attacks: Certain vulnerability classes allow processes with lower privileges to read memory from higher-privilege processes in ways that bypass normal OS protections.
- Live memory forensics: Law enforcement and adversarial actors performing live memory analysis of a running machine could extract all saved credentials without ever touching the encrypted database on disk.
- Shared or managed machines: In enterprise environments, multiple users or IT administrators may have access to memory inspection tools that could expose credentials from another user's session.
The scale of the exposure also matters. Edge is one of the world's most widely used browsers, with hundreds of millions of installations across consumer and enterprise environments. The password manager is a core feature, not an edge case. A design flaw at this level affects an enormous number of users who trusted the browser to handle their credentials safely.
What You Should Do Now
Until Edge 148 rolls out to your device, the exposure window is active. Here are concrete steps to reduce your risk:
- Check your current Edge version at edge://settings/help - if it is below 148, the issue is present.
- Remove sensitive passwords from Edge's built-in password manager and migrate them to a standalone password manager application. Standalone managers encrypt credentials at rest and only decrypt in memory at the moment of use.
- Enable automatic updates for Edge so that version 148 installs as soon as it becomes available in your channel.
- Review whether any work or admin accounts are stored in Edge on shared or enterprise-managed machines, where other users or IT staff may have memory-inspection access.
The broader lesson here is architectural. Browser-integrated password managers trade a meaningful security boundary for convenience. When a browser keeps all credentials decrypted in RAM, the encryption protecting those passwords on disk offers no protection against any attacker or malware that reaches the running process. A dedicated password manager application, by contrast, operates with a separate memory space and a tightly controlled decryption lifecycle.
This incident also highlights the importance of independent security research. Microsoft's initial "by design" position would have stood indefinitely without a public PoC forcing the issue into the open. The security community's ability to review, challenge, and expose the behavior of widely deployed software is a critical check on vendor decisions that affect hundreds of millions of users.
