The latest stable version of Edge no longer loads passwords into memory at startup.
This adjustment wasn’t taken for granted. Microsoft indeed considered that this behavior was normal in light of the browser’s threat model. They had communicated this to the security researcher who had alerted them to the issue. It was early May.
Passwords in Clear Text… Continuously
The researcher had more precisely shown that all passwords stored in Edge were decrypted at launch and kept continually in the memory of the parent process, in clear text, whether they were being used or not.
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
The situation, he explained, was particularly problematic in shared environments such as terminal-server setups. After all, an attacker with admin privileges on a machine could access Edge processes for all users, whether they were connected or not.
Having accompanied his statements with a PoC, the researcher added that other Chromium-based browsers did not display this behavior. Extracting passwords from them is harder, he claimed: decryption is performed only on demand and—at least on Windows—the app-bound encryption prevents the keys from being reused by other processes.
Microsoft, Aligned with the Chromium Project’s Approach
“It’s not a bug, it’s a feature,” Microsoft essentially replied. Since then, its position has not changed: the risk only materializes after the device is compromised, a scenario in which any browser—and even any application—is left defenseless. It is therefore outside the scope.
The Chromium project adopts the same stance. It is not classified as a security bug that an attacker who has control of a device can access passwords by inspecting the browser’s files or memory. More broadly, so-called “physically-local” attacks do not form part of the security model. This includes, for example, compromise through loading a malicious DLL, through the hooking of an API, or through another alteration of the device’s configuration.
In the name of “defense in depth,” with its Secure Future Initiative in the background, Microsoft did ultimately change its stance…
