Microsoft Edge password finding raises new concerns over cleartext credentials in memory

A security researcher has found that Microsoft Edge can load all saved passwords into readable process memory when the browser starts. The issue means stored credentials may sit in memory even if the user never opens the websites tied to those passwords during that session.

The finding does not describe a remote website exploit. An attacker still needs access to the device, the user session, malware running in the right context, or administrative control in a shared Windows environment.

Even with that limit, the behavior creates a serious enterprise risk. If every saved password sits in memory at once, memory scraping becomes far more valuable for attackers who already gained access to a machine or terminal server.

What the researcher found

Security researcher Tom Jøran Sønstebyseter Rønning disclosed the behavior after testing Microsoft Edge and other Chromium-based browsers. He said Edge loads saved credentials into cleartext memory at startup, not only when a user needs a specific password for autofill.

That detail matters because password managers normally need to decrypt a password at some point to fill it into a website. The safer pattern is to expose only what is needed, only when it is needed, and for as little time as possible.

In Edge’s case, the concern is broader exposure. A running browser process may contain the full saved password vault in readable form, which gives malware or an attacker with process memory access a larger target.

At a glance

Item	Details
Browser involved	Microsoft Edge
Issue reported	Saved passwords loaded into cleartext process memory
When it happens	At browser launch, according to the researcher
User action needed	No website visit tied to the password is needed after Edge opens
Main attacker requirement	Access to the device, user session, malware context, or process memory
Highest-risk setting	Terminal servers, RDS, Citrix, VDI, and shared Windows systems
Microsoft response reported	The behavior was described as by design

Why this matters despite requiring local access

Some users may dismiss the issue because it requires local or privileged access. That view misses the bigger problem in real-world attacks. Malware often runs inside a user session, and attackers often try to move from one compromised account to many more credentials.

Browser-stored passwords are attractive because they can unlock email, cloud dashboards, admin panels, developer tools, banking portals, and business systems. If those credentials appear together in memory, attackers can harvest more accounts in less time.

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB

— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026

The risk becomes sharper on shared Windows systems. An administrator on a terminal server or VDI host can often access memory from other logged-in users’ processes, including disconnected sessions where Edge remains open.

Why the Edge prompt does not fully solve it

Edge can ask users to re-authenticate before showing a saved password in the password manager interface. That helps stop casual viewing through the browser UI.

The new disclosure points to a different layer. If the password already exists in the browser process memory in cleartext, a UI prompt does not stop memory inspection by malware or a user with enough access.

This creates a gap between what users see and what attackers may target. The visible password manager looks protected, but the process memory may already contain the same secrets in readable form.

How this compares with other browsers

Browser behavior	Security impact
Decrypting all saved passwords at launch	Creates a larger memory target if an attacker can read the browser process
Decrypting passwords only when needed	Reduces how many credentials sit in cleartext memory at the same time
Using app-bound encryption for stored data	Raises the bar for stealers that try to decrypt browser data from outside the browser
Using a dedicated password manager	Can reduce browser-centered credential exposure when configured properly

Google introduced App-Bound Encryption in Chrome 127 on Windows to make browser data harder for other applications to decrypt. That protection focuses on data at rest and the ability of other processes to reuse decryption material.

The Edge finding focuses on readable data after the browser has already decrypted it into memory. That distinction matters because strong storage encryption cannot protect a password once an application keeps it in plaintext RAM.

Security researchers have also shown that app-bound encryption can face bypass attempts. Even so, reducing how much cleartext data sits in memory remains a practical defense against common infostealer behavior.

Who faces the highest risk

• Users who save many work and personal passwords in Edge
• Companies that run Edge on terminal servers or shared desktops
• VDI and Citrix environments with many active user sessions
• Admins who manage systems where several users stay logged in
• Developers and IT teams with browser-saved access to cloud tools
• Users who leave Edge open for long sessions

What users should do now

Regular users should first understand that this is not the same as a remote hack through a malicious website. The practical danger starts when a device, user account, or shared environment already has another security problem.

Still, users who store important passwords in Edge should consider moving them to a dedicated password manager. After migration, they should remove saved passwords from Edge and turn off the browser’s offer to save new passwords.

Users should also enable multifactor authentication or passkeys on important accounts. That reduces the damage if a password gets exposed through memory scraping, malware, or another local attack.

What enterprise admins should do

• Review whether Edge password saving is allowed on managed devices.
• Disable browser password storage through policy in high-risk environments.
• Prioritize this review for RDS, Citrix, VDI, and terminal server deployments.
• Move privileged accounts to a managed enterprise password vault.
• Block users from saving admin, VPN, cloud, and financial credentials in browsers.
• Reduce standing administrator access on shared Windows systems.
• Monitor for suspicious memory dump creation and credential dumping behavior.
• Train users to close browsers before disconnecting from shared sessions.

Microsoft’s position and the bigger question

Microsoft’s own documentation says Edge encrypts saved passwords on disk and designs the system so plaintext passwords should not be available for a user who is not logged in. Reports say Microsoft treated the researcher’s finding as expected behavior rather than a vulnerability requiring immediate servicing.

That leaves security teams with a policy decision. Even if Microsoft does not classify the behavior as a vulnerability, organizations can still decide that browser-based password storage creates too much risk in shared or sensitive environments.

The safer path is to treat Edge’s password manager as a convenience feature, not as the main place to store high-value credentials. For business systems, admin portals, cloud consoles, and financial accounts, stronger credential controls now make more sense.

FAQ