Microsoft Backpedals on Edge's Plaintext Passwords

Microsoft is shipping a fix for the Edge cleartext-passwords behavior they previously called 'by design.' Update on last week's video covering the original disclosure. Edge had been decrypting every saved password into process memory at startup and keeping them in cleartext for the entire session, including for sites the user never visits. Norwegian security researcher Tom Jøran Sønstebyseter Rønning disclosed the behavior and published a proof-of-concept tool. Microsoft's initial response, per Bleeping Computer's reporting, was that the behavior was "an expected feature of the application" and "by design," with the Microsoft Security Response Center declining to treat it as a vulnerability. On May 15th, Microsoft announced via Edge Security Lead Gareth Evans that the team is taking a broader view beyond its formal threat model, and that "reducing the exposure of passwords in memory is a practical step in that direction." The change is live in Edge Canary and coming to Stable, Beta, Dev, and Extended Stable in build 148 and newer. Microsoft has not called the original behavior a vulnerability — the framing is defense-in-depth. Saved passwords no longer load into memory at startup, putting Edge in line with the other Chromium-based browsers. If you save passwords in your browser instead of a dedicated manager, the original recommendation from the previous video still stands. Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/ https://www.malwarebytes.com/blog/news/2026/05/microsoft-says-edges-plaintext-password-behavior-is-by-design More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #edge #passwords