A current cybersecurity investigation has revealed a big concern concerning how Microsoft Edge handles person credentials. The findings, shared by researcher Tom Jøran Sønstebyseter Rønning, point out that the browser shops saved passwords in plaintext—that means they’re unencrypted and readable—throughout the system’s RAM whereas the appliance is lively.
Not like many trendy browsers that decrypt credentials solely for the time being of use, Microsoft Edge seems to maintain all saved passwords accessible within the system reminiscence at some point of the browser session. This conduct persists so long as the appliance is operating, no matter whether or not the person is actively accessing their password supervisor or logging into a web site.
Microsoft Edge hundreds all of your saved passwords into reminiscence in cleartext — even if you’re not utilizing them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
The first threat related to this conduct includes native safety. If an unauthorized particular person positive aspects bodily entry to a machine or manages to acquire administrative privileges remotely, they may probably extract delicate login data immediately from the RAM. Rønning demonstrated this by posting a proof-of-concept instrument on GitHub, which illustrates how simply these knowledge strings may be retrieved in a legible format.
The investigation highlights a big departure from the safety protocols utilized by different Chromium-based browsers. Google Chrome, as an illustration, usually decrypts credentials solely when needed and clears them from the reminiscence shortly thereafter to attenuate the “window of publicity.” Microsoft Edge’s structure, nevertheless, maintains this knowledge in an unencrypted state constantly all through the session.
Microsoft’s Response and Design Philosophy
Regardless of the criticism from the cybersecurity group, Microsoft has acknowledged the conduct however maintains that it isn’t a software program bug. As an alternative, the corporate has characterised this as an intentional design resolution. As of but, Microsoft has not offered a particular technical justification for why holding delicate credentials completely accessible within the reminiscence serves a sensible benefit for the person.
For customers who depend on Microsoft Edge as their major password supervisor, these revelations elevate vital questions concerning native privateness and knowledge safety. Safety consultants recommend utilizing devoted third-party password managers or making certain that browsers are absolutely closed when not in use to mitigate such dangers.
