Microsoft Edge will stop loading saved passwords into memory at startup

Microsoft is changing how Edge handles saved passwords after a researcher showed that the browser loaded stored credentials into process memory in clear text at startup.

The company says Edge will no longer load saved passwords into memory when the browser launches. The change is already live in Edge Canary and will roll out to every supported Edge channel, including Stable, Beta, Dev, Canary, and Extended Stable, starting with build 148 and newer.

Microsoft says users do not need to take any action. The update will arrive through the normal Edge update process.

What Microsoft is changing in Edge

The change affects Edge’s built-in password manager. Until now, Edge could load saved passwords into memory at startup, even before a user visited the websites tied to those credentials.

Security researcher Tom Jøran Sønstebyseter Rønning publicly disclosed the behavior earlier in May. Microsoft said the scenario falls within its existing threat model because an attacker would already need control of the device to access that memory.

Even so, Microsoft decided to reduce exposure. The company described the update as a defense-in-depth improvement linked to its Secure Future Initiative.

Item	Details
Product	Microsoft Edge
Feature affected	Built-in password manager
Issue reported	Saved passwords loaded into process memory in clear text at startup
Microsoft’s position	No new browser security boundary was crossed
Planned change	Edge will stop loading saved passwords into memory at startup
Rollout	Canary first, then all supported Edge channels from build 148 onward

Why the password behavior raised concern

Passwords stored by browsers need to be decrypted at some point so users can autofill them or view them after authentication. The concern here was timing and scope.

The researcher found that Edge loaded saved passwords into memory during startup. That could expose more credentials than needed during a browsing session, especially if the user never opened the sites connected to those saved logins.

In comparison, Chrome was reported to decrypt passwords only when the user requests or uses a specific credential. That difference made Edge’s startup behavior stand out among Chromium-based browsers.

Microsoft says there is no new customer exposure

Microsoft says the reported scenario requires a device that has already been compromised. If malicious code can run locally with the right privileges, the browser alone cannot fully protect sensitive data.

This matches Microsoft’s existing password manager security documentation. Edge encrypts saved passwords on disk using local data encryption, but Microsoft notes that malware running as the signed-in user can still access decrypted browser data.

That distinction matters. The issue does not mean a remote website can read Edge passwords by itself. It also does not mean saved passwords were exposed online by default. The risk increases after malware or another attacker gains local access to the device.

• The behavior involved saved passwords in process memory at browser startup.
• An attacker would need local device compromise to access that memory.
• Microsoft does not classify the behavior as a new browser vulnerability.
• The company still decided to reduce unnecessary password exposure.
• The update will arrive automatically through supported Edge channels.

Why the change still matters

Defense-in-depth improvements reduce damage when one layer of security fails. Even if a device is already compromised, limiting how much sensitive data sits in memory can make credential theft harder.

This matters for businesses where browser-saved passwords may include access to admin portals, SaaS dashboards, financial tools, developer platforms, and internal systems.

It also matters for shared or managed environments. If a device hosts several user sessions or handles sensitive work, unnecessary credential exposure can increase the impact of a successful intrusion.

How Edge stores saved passwords

Microsoft says Edge stores passwords encrypted on disk. The browser uses AES encryption and protects the encryption key through operating system storage areas.

On Windows, Edge relies on DPAPI. On macOS, it uses Keychain. On Linux, the key may use Gnome Keyring or KWallet. On mobile platforms, Edge uses the credential storage available on the device.

This protection helps when an attacker steals files from disk or gets access to data from a device that is not actively signed in. It does not fully protect against malware running inside the active user session.

Platform	Storage protection used by Edge
Windows	DPAPI
macOS	Keychain
iOS	iOS Keychain
Linux	Gnome Keyring or KWallet
Android	Platform-based storage behavior differs because Android lacks the same system-level AES key storage model described for desktop platforms

What users should do

Microsoft says Edge users do not need to manually change settings to receive the fix. The browser will get the change through its regular update channel.

Users should still keep Edge updated. They should also keep Windows, Microsoft Defender, and other endpoint protections current because the reported attack scenario depends on local compromise.

People who store sensitive credentials in any browser should also use basic account protections. Strong unique passwords, multi-factor authentication, and device security still matter more than one browser-side change.

1. Keep Microsoft Edge updated through the normal browser update process.
2. Install operating system security updates promptly.
3. Use multi-factor authentication for important accounts.
4. Avoid running unknown files or scripts on your device.
5. Use Microsoft Defender or another trusted security tool.
6. Review saved passwords and remove credentials you no longer need.
7. Consider a dedicated password manager for high-value business credentials.

What IT admins should watch

Enterprise admins should track the Edge 148 rollout across managed devices, especially in environments that rely heavily on the built-in Edge password manager.

They should also review password manager policies. In some business settings, admins may restrict whether employees can save passwords in Edge or sync browser data across devices.

The bigger security lesson is endpoint protection. If malware runs under a user session, browsers, password managers, cookies, and app tokens can all become targets. Reducing password exposure at startup helps, but it does not replace device hardening.

Admin task	Why it matters
Track Edge 148 deployment	Confirms the password memory change reaches managed devices.
Review browser password policies	Controls whether users can save and sync passwords in Edge.
Monitor endpoint health	Local compromise remains the main risk scenario.
Enforce MFA	Limits the impact of stolen passwords.
Reduce local admin rights	Makes credential dumping and cross-user access harder.

Microsoft is also reviewing report handling

Microsoft said it is reviewing how it handles researcher reports. The company said it wants to improve response speed, communication clarity, and the way defense-in-depth thinking enters the evaluation process.

The Edge team also pointed to other browser protections, including sandboxing, renderer isolation, and Scareware Blocker. These controls help break attack chains before a malicious website or app can do more damage.

The password memory change does not mean every user was suddenly exposed. It does show Microsoft wants to reduce unnecessary handling of sensitive data, even when an issue sits outside its normal browser security boundary.

FAQ