Microsoft Edge is changing its behavior to load saved passwords into memory in plain text upon startup.
Microsoft has announced a change in its specifications regarding the behavior of Microsoft Edge, where saved passwords are loaded into memory in 'plaintext' format (meaning they are not encrypted and can be read directly by programs and humans) upon browser startup. Future versions of Edge will no longer load saved passwords into memory upon startup.
Saved passwords in Edge memory: what we're changing and why | Microsoft Browser Vulnerability Research
The issue at hand was that passwords saved in Edge's password manager were decrypted not when they were actually automatically entered into login forms, but when the browser was launched. Passwords are encrypted when saved, but decryption is required when they are used, such as for autofill. However, it was pointed out that if decrypted passwords exist in memory immediately after launch, there is a higher risk of them being read by malware that has compromised the device.
The behavior of Edge, where passwords stored in the browser are decrypted upon launch and stored in plain text in process memory, has been criticized as problematic, as described in the following article. Tom Yoran Sonsteviseter Ronning, the security researcher who discovered this behavior, has also released a proof-of-concept tool that allows an attacker with administrator privileges to retrieve passwords from another user's Edge process. Even without administrator privileges, it is possible to access authentication information if the Edge process is launched with the same user privileges as the attacker.
Microsoft Edge is reportedly storing passwords in plain text in memory - GIGAZINE
Microsoft initially explained that the reported behavior fell within the scope of existing threat models, as it assumed that the attacker had already compromised the device. A threat model is a set of preconditions that define what types of attackers and attack methods are included in the defenses. Microsoft stated that attacks by attackers who already have control of the local device or attacks by malware operating with high privileges cannot be completely prevented by Edge's password manager alone.
Meanwhile, on May 14, 2026, Microsoft announced its intention to improve the design of its system, which decrypts saved passwords and loads them into memory at startup, from a multi-layered defense perspective. Multi-layered defense is the idea that even if one defense is breached, another defense can mitigate the damage. Microsoft states that it is worthwhile to reduce the opportunities for plaintext passwords to exist in memory, even if an attacker is able to execute code on the device.
The changes have already been rolled out to Edge Canary and will be expanded to supported Edge channels, including Stable, Beta, Dev, Canary, and Extended Stable for enterprises. Users of Edge's password manager do not need to take any action; the changes will be reflected through a regular update.
Microsoft explained that 'the reported behavior does not immediately create a new attack vector,' and added that 'reducing the time saved passwords remain in memory in plain text is a practical measure to strengthen Edge's defenses.'
Related Posts:
