Microsoft Edge Stores Every Saved Password in Plaintext RAM — And Microsoft Says That’s Intentional

Microsoft Edge Stores Every Saved Password in Plaintext RAM — And Microsoft Says That’s Intentional

A Norwegian penetration tester has publicly demonstrated that Edge decrypts your entire password vault the moment the browser launches and keeps it readable in memory for your whole session — a design Microsoft defends as a deliberate choice to optimize login performance.

On April 29, 2026, security researcher Tom Jøran Sønstebyseter Rønning, a penetration testing specialist working with Palo Alto Networks Norway, stood before an audience at the BigBiteOfTech conference and demonstrated something that had been sitting in plain sight inside one of the world’s most widely installed browsers. Microsoft Edge, he showed, loads every single saved password into its process memory the instant it launches — in unencrypted, plaintext form — and leaves them there for your entire browsing session.

It does not matter whether you visit any of the websites whose credentials are stored. Edge decrypts your entire password vault at startup, unconditionally. Open Edge to read the news and every login you have ever saved — banking, email, medical portals, workplace systems — is sitting in readable memory, waiting.

“Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them.” — Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N), May 4, 2026

How the Vulnerability Works

Modern password management best practice dictates that credentials should be decrypted on demand — fetched from secure storage only at the precise moment they are needed for autofill or manual review — and then immediately cleared from memory. Google Chrome, also built on the Chromium engine, follows this model: it decrypts individual passwords only during autofill or when a user explicitly opens the password manager. Chrome also employs Application-Bound Encryption, which cryptographically ties the decryption process to the authenticated browser, making it significantly harder for external processes to extract keys.

Edge does neither. The research found it to be the only Chromium-based browser tested with this behavior. Once the browser process starts, every saved URL, username, and password is written to heap memory in cleartext and remains there — even in disconnected or locked sessions on terminal servers — for as long as the browser is open.

The authentication gate Edge presents before displaying passwords in its own settings interface turns out to be purely cosmetic. A PIN or Windows Hello prompt prevents a casual shoulder-surfer from reading your passwords on screen, but the data already exists unencrypted in memory, readable by any process that can access it. The researcher describes this as creating a false sense of security.

The Danger Is Greatest in Shared Environments

On a personal laptop used by a single person, exploiting this requires local physical access or malware — a meaningful barrier. The risk calculus changes dramatically in shared computing environments such as corporate terminal servers, Remote Desktop Services infrastructure, and Virtual Desktop Infrastructure deployments.

In a proof-of-concept video published alongside the conference disclosure, Rønning demonstrated the attack running from a compromised administrator account on a multi-user Windows server. The tool successfully extracted plaintext credentials belonging to two other users whose sessions were disconnected but still active — meaning the users had logged off the remote desktop interface without closing Edge. The passwords remained exposed in memory until the browser process itself was terminated.

This scenario is not hypothetical in enterprise environments. Organizations that standardize on Edge across hundreds of workstations and terminal servers effectively hand any attacker who achieves a single admin compromise a bulk credential harvester for every account stored in every active Edge session across the network.

Microsoft’s Response: “By Design”

Rønning followed responsible disclosure procedures and reported the issue to Microsoft before going public. Microsoft’s reply was unambiguous: the behavior is a conscious architectural decision made to optimize the user login experience, not an accidental vulnerability. The company categorized it as a planned feature.

Microsoft’s guidance on Edge password manager security already states that “physically local attacks and malware are outside the threat model,” and that “under these conditions, encrypted data would be vulnerable.” The company’s public advice is to apply system patches promptly and avoid running malicious software. No fix is planned.

“The prerequisite for an attack is that the device has been compromised.” — Microsoft’s official response, as reported during the disclosure process

Security experts strongly contest this framing. The standard vulnerability taxonomy already has a classification for this behavior: CWE-316 — Cleartext Storage of Sensitive Information in Memory. Germany’s Federal Office for Information Security (BSI) had notably excluded the Edge password manager from its password manager security evaluation as recently as December 2025, a decision this disclosure retroactively justifies.

Edge vs. Chrome: A Technical Comparison

Disclosure Timeline

What You Should Do Right Now

1. Export your Edge passwords immediately. Go to edge://settings/passwords, click the three-dot menu, and export to CSV. Keep this file encrypted and delete it after importing to your new manager.
2. Import into a dedicated password manager. Options recommended by security researchers include Bitwarden (open-source, free tier available), 1Password, or KeePassXC (fully local). All use proper encrypt-on-demand architecture with no plaintext memory exposure.
3. Delete all saved passwords from Edge. Return to edge://settings/passwords and remove every stored credential. Do not re-save passwords in Edge while this behavior persists.
4. Disable Edge’s “Offer to save passwords” toggle. This prevents new credentials from being added accidentally after you clear your vault.
5. Enterprise administrators: audit immediately. If Edge is deployed across terminal servers or RDS environments, treat all browser-stored credentials as potentially compromised. Review MITRE ATT&CK technique T1555.003 (Credentials from Web Browsers) and add detection rules for suspicious msedge.exe memory reads by non-Edge processes.

Context and Perspective

It is worth noting that Microsoft’s “local access is outside our threat model” argument is not unique to Edge — it reflects a wider industry position that browser-based password managers are convenience tools, not hardened vaults. But the distinction this disclosure surfaces is meaningful: other browsers built on the same Chromium engine have implemented on-demand decryption and memory hygiene without sacrificing login performance. The performance optimization rationale Microsoft cites does not fully account for why its Chromium-based peers do not require the same trade-off.

For individual users on personal, unshared machines with good security hygiene — up-to-date OS patches, no malware, disk encryption enabled — the practical risk is lower than headlines may suggest. The exposure window requires local process-read access. The population for whom this is an acute, immediate risk is concentrated in enterprise shared environments, IT helpdesk roles, organizations using Remote Desktop Services, and anyone who shares their Windows session with other users or services.

That said, security best practice has long held that credential managers should not load secrets into memory until the second they are needed. The principle of least privilege applies to data in RAM no less than to file permissions. Edge’s behavior is, as CWE-316 classifies it, a vulnerability — regardless of whether Microsoft chooses to patch it.