Microsoft Edge Found to Store Passwords in Plain Text

A security researcher has revealed that Microsoft’s Edge browser loads every single one of your saved passwords into your computer’s memory in plain text the moment you open the application (via ComputerWorld).

Researcher Tom Jøran Sønstebyseter Rønning discovered this behaviour and shared his findings this week. According to Rønning, Edge decrypts your entire password vault and keeps it sitting in the process memory (RAM) for as long as the browser is open.

The most concerning part of this discovery is that Edge does this regardless of whether you actually visit the websites associated with those passwords. Even if you only open the browser to check the weather, your banking, email, and social media passwords are all sitting in the background in a readable format.

While Microsoft Edge is based on Google’s open-source Chromium project, it appears to be the only major browser that handles passwords this way. Rønning tested several other Chromium-based browsers, including Google Chrome, Brave, and Opera. None of them followed this practice.

In contrast, Chrome uses a method called App-Bound Encryption. This system ensures that passwords are only decrypted when they are actually needed for autofill on a specific site. Once the sign-in is complete, the plain-text version is wiped from the memory.

When Rønning reported his discovery to Microsoft, the company responded by saying the behaviour is “by design.” Microsoft argues that for an attacker to exploit this, they would already need to have compromised the user’s device or have administrative access. “Design choices in this area involve balancing performance, usability, and security,” a Microsoft spokesperson stated.

While it is true that a hacker would need access to your system to “scrape” the memory, security experts argue that this design makes the job much easier for info-stealing malware.