A recent cybersecurity investigation has revealed a significant concern regarding how Microsoft Edge handles user credentials. The findings, shared by researcher Tom Jøran Sønstebyseter Rønning, indicate that the browser stores saved passwords in plaintext—meaning they are unencrypted and readable—within the system’s RAM while the application is active.
Unlike many modern browsers that decrypt credentials only at the moment of use, Microsoft Edge appears to keep all stored passwords accessible in the system memory for the duration of the browser session. This behavior persists as long as the application is running, regardless of whether the user is actively accessing their password manager or logging into a website.
The primary risk associated with this behavior involves local security. If an unauthorized individual gains physical access to a machine or manages to obtain administrative privileges remotely, they could potentially extract sensitive login information directly from the RAM. Rønning demonstrated this by posting a proof-of-concept tool on GitHub, which illustrates how easily these data strings can be retrieved in a legible format.
The investigation highlights a significant departure from the security protocols used by other Chromium-based browsers. Google Chrome, for instance, typically decrypts credentials only when necessary and clears them from the memory shortly thereafter to minimize the “window of exposure.” Microsoft Edge’s architecture, however, maintains this data in an unencrypted state continuously throughout the session.
Microsoft’s Response and Design Philosophy
Despite the criticism from the cybersecurity community, Microsoft has acknowledged the behavior but maintains that it is not a software bug. Instead, the company has characterized this as an intentional design decision. As of yet, Microsoft has not provided a specific technical justification for why keeping sensitive credentials permanently accessible in the memory serves a practical advantage for the user.
For users who rely on Microsoft Edge as their primary password manager, these revelations raise significant questions regarding local privacy and data protection. Security experts suggest using dedicated third-party password managers or ensuring that browsers are fully closed when not in use to mitigate such risks.
Filed in . Read more about Cybersecurity, Microsoft Edge and Password.