How Bad Is Microsoft Edge's Plaintext Password Problem?

Microsoft Edge decrypts every saved password into memory the moment you open it, and keeps them in cleartext for the entire session. Microsoft says it's by design and not a vulnerability. Here's the honest take. A Norwegian security researcher, Tom Jøran Sønstebyseter Rønning of Palo Alto Networks Norway, disclosed at the BigBiteOfTech conference on April 29, 2026 that Microsoft Edge decrypts all saved passwords into process memory at startup, including for sites you never visit, and keeps them in cleartext for the duration of the browser session. Of the Chromium-based browsers he tested, Edge is the only one that does this. Chrome decrypts credentials on demand and uses Application-Bound Encryption to lock keys to its own running process. Microsoft's Security Response Center declared the behavior "not a vulnerability," arguing that physically local attacks and malware are outside the browser's threat model. The published proof of concept shows an admin on a remote desktop server reading other users' passwords from memory, including users with disconnected sessions. The honest take: not catastrophic for a single home user, but a meaningful uplift for infostealer malware and a real concern in shared or terminal-server environments. If you save passwords in your browser, switch to a dedicated manager like Bitwarden, 1Password, or KeePass. Sources: https://cybernews.com/security/microsoft-edge-loads-cleartext-passwords-to-memory/ https://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-risk https://www.windowscentral.com/microsoft/microsoft-edge-will-load-all-your-passwords-into-memory-in-plaintext-but-microsoft-says-its-not-a-security-concern https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-password-manager-security More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #edge #passwords