Edge Stores All Passwords in Plain Text in Memory

Microsoft Edge, the Chromium-based browser used by hundreds of millions worldwide, stores all saved passwords in clear text directly in process memory — even passwords for sites the user has not actively visited during their session. Security researchers have flagged this behavior as a significant vulnerability that dramatically lowers the barrier for credential theft via memory-scraping malware or local access attacks.

The discovery reignites longstanding concerns about how major browsers handle sensitive credential data at the operating system level, and raises urgent questions about whether Microsoft's approach to password management meets modern security standards.

Key Facts at a Glance

• All saved passwords are loaded into Edge's process memory in plain text upon browser launch
• Passwords remain exposed even for sites the user has not visited in the current session
• Attackers with local access or memory-reading malware can extract every stored credential at once
• The issue affects Edge's built-in password manager, not third-party extensions like 1Password or Bitwarden
• Unlike some competing browsers, Edge does not appear to implement robust in-memory encryption for stored credentials
• Microsoft has not yet issued a formal patch or detailed remediation timeline

How the Vulnerability Works in Practice

When a user launches Microsoft Edge, the browser's built-in password manager loads the user's entire credential vault into the browser's process memory. This happens automatically, regardless of which websites the user actually navigates to during that session.

Security researchers demonstrated that by using widely available tools — such as Process Hacker or custom memory-dumping scripts — an attacker can scan Edge's memory space and extract usernames and passwords in fully readable plain text. The attack does not require sophisticated exploitation techniques or zero-day vulnerabilities.

What makes this particularly alarming is the scope of exposure. In a typical scenario, one might expect only the credentials for actively visited sites to be present in memory. Instead, Edge preloads every saved password, meaning a single memory dump could yield dozens or even hundreds of credential pairs.

This behavior effectively turns a local access compromise or a successful malware infection into a full credential harvesting event. Rather than needing to intercept passwords one by one as users log into sites, an attacker gains immediate access to the entire vault.

Why In-Memory Plain Text Storage Is Dangerous

Memory-scraping attacks are not theoretical — they are a well-documented and actively exploited attack vector. The technique gained widespread notoriety during the Target data breach in 2013, where attackers used RAM-scraping malware to steal millions of credit card numbers from point-of-sale systems.

In the browser context, the risk is equally concrete. Infostealers like RedLine, Raccoon, and Vidar — which are widely sold on dark web marketplaces for as little as $100-$200 per month — routinely target browser process memory to extract credentials, cookies, and autofill data.

The critical issue is that storing passwords in plain text in memory removes an important layer of defense-in-depth. Even if a system is partially compromised, in-memory encryption or tokenization can prevent attackers from reading sensitive data directly. By skipping this step, Edge leaves users reliant entirely on perimeter defenses — antivirus software, OS-level protections, and user vigilance — which are frequently bypassed.

How Edge Compares to Other Browsers

The discovery invites direct comparison with how other major browsers handle credential storage in memory. While no browser can claim perfect security in this domain, the approaches vary significantly.

• Google Chrome: Also Chromium-based, Chrome has faced similar criticisms historically. Google has begun implementing memory protections and exploring CryptProtectMemory API usage for sensitive data, though coverage remains inconsistent
• Mozilla Firefox: Firefox's password manager encrypts credentials on disk using a primary password feature (if enabled by the user). In-memory handling has been somewhat more conservative, though researchers have still found plain-text credentials in certain scenarios
• Apple Safari: Safari benefits from macOS's tighter integration with the Keychain system, which provides hardware-backed encryption. Memory exposure is generally more limited due to Apple's sandboxing architecture
• Brave Browser: Despite being Chromium-based like Edge, Brave has implemented additional privacy and security hardening layers that reduce some categories of memory exposure

The comparison highlights that Edge's behavior is not entirely unique to Chromium-based browsers, but the preloading of all credentials — including those for unvisited sites — appears to be a particularly aggressive design choice that maximizes the attack surface.

The Broader Security Implications for Enterprise Users

Enterprise environments face outsized risk from this vulnerability. Microsoft Edge is the default browser on Windows 10 and Windows 11 systems, and many organizations mandate its use through group policy. Microsoft has aggressively pushed Edge adoption in corporate settings, touting its integration with Azure Active Directory, Microsoft 365, and Intune device management.

In these environments, a single compromised workstation could yield credentials for:

• Internal corporate applications and dashboards
• Cloud platforms like Azure, AWS, or Google Cloud
• Email systems and collaboration tools
• VPN and remote access portals
• Financial and HR systems
• Customer-facing platforms and admin panels

The potential for lateral movement within an organization is significant. An attacker who harvests credentials from one employee's Edge browser could use those credentials to access additional systems, escalate privileges, and move deeper into the network.

This is especially concerning given the rise of hybrid work environments, where employees frequently save credentials for both personal and professional accounts in the same browser profile. A single compromise could bridge the gap between personal and corporate security perimeters.

What Users and Organizations Should Do Now

While waiting for Microsoft to address the issue at the browser level, security professionals recommend several immediate mitigation steps.

For individual users:

• Switch to a dedicated third-party password manager like 1Password, Bitwarden, or Dashlane, which implement their own in-memory encryption and security architecture
• Disable Edge's built-in password saving feature under Settings > Passwords
• Enable multi-factor authentication (MFA) on all critical accounts to reduce the impact of stolen passwords
• Keep Windows and Edge updated to ensure any future patches are applied promptly

For enterprise IT teams:

• Deploy group policies to disable Edge's built-in password manager across managed devices
• Mandate the use of enterprise-grade password management solutions with centralized administration
• Implement endpoint detection and response (EDR) tools capable of identifying memory-scraping behavior
• Audit existing credential storage practices and assess exposure
• Consider browser isolation technologies for accessing sensitive applications

Microsoft's Response and Industry Pressure

Microsoft has historically taken a measured approach to browser security disclosures. The company typically evaluates reported vulnerabilities through its Microsoft Security Response Center (MSRC) and assigns severity ratings before committing to remediation timelines.

However, the company faces mounting pressure on multiple fronts. The Cybersecurity and Infrastructure Security Agency (CISA) has increasingly emphasized secure-by-default principles, urging software vendors to eliminate entire classes of vulnerabilities rather than relying on users to configure security settings correctly.

Microsoft's own Secure Future Initiative, announced in late 2023 in response to a series of high-profile security incidents, pledged to make security the company's top priority. Storing passwords in plain text in memory appears to conflict directly with the principles outlined in that initiative.

The timing is also notable given Microsoft's heavy investment in AI-powered security tools, including Copilot for Security. Critics have pointed out the irony of investing billions in advanced AI threat detection while leaving fundamental credential hygiene issues unaddressed in one of the company's most widely used consumer products.

Looking Ahead: What Needs to Change

This incident underscores a broader challenge facing the browser security ecosystem. As browsers evolve into full-fledged operating environments — handling passwords, payment information, identity verification, and increasingly AI-powered features — the security expectations must evolve accordingly.

The path forward likely involves several industry-wide shifts:

• Adoption of hardware-backed credential isolation using TPM chips and secure enclaves
• Implementation of just-in-time credential decryption, where passwords are only decrypted at the moment of use and immediately cleared from memory
• Greater transparency from browser vendors about how credentials are handled at every layer of the stack
• Regulatory pressure, potentially through frameworks like the EU's Cyber Resilience Act, to mandate minimum standards for credential storage in consumer software

For now, the most prudent course of action is to treat browser-based password managers with caution and layer additional security controls on top. The convenience of built-in password saving comes with trade-offs that, as this discovery makes clear, can be severe.

The security community will be watching closely to see how quickly Microsoft responds — and whether the fix addresses the root architectural issue or merely patches the most visible symptom.