Microsoft Says Edge Loading Passwords in Plaintext Is by Design

Microsoft has confirmed that its Edge browser deliberately loads all saved passwords in plaintext into system memory at startup — and insists this is not a bug. The revelation, first flagged by security researcher @L1v1ng0ffTh3L4N, has sparked a heated debate over the trade-offs between performance, usability, and security in modern browsers.

The researcher found that Edge is the only Chromium-based browser that exhibits this behavior, with Google Chrome taking a notably more cautious approach by only decrypting passwords when explicitly requested through the password manager or autofill menu.

Key Facts at a Glance

• Edge decrypts every saved credential at startup, regardless of whether the user visits the associated website
• Google Chrome only decrypts passwords on demand, when accessed via the password manager or autofill
• Microsoft calls this 'by design', intended to accelerate login and authentication for end users
• An attacker with admin access to a terminal server could theoretically read all passwords from every logged-in user's memory
• Edge is the only Chromium-based browser confirmed to load all passwords in plaintext at launch
• Microsoft acknowledges the design requires balancing performance, usability, and security

How the Vulnerability Works in Practice

The core issue is straightforward but alarming. When Edge launches, it decrypts every single stored credential and holds them in plaintext within the browser's process memory. This happens automatically, even if the user never navigates to a site that requires those credentials.

In contrast, Chrome and other Chromium-based browsers keep passwords encrypted in memory until the moment they are actually needed. This 'lazy decryption' approach means that at any given time, only the passwords currently in use are exposed in readable form.

The practical attack scenario is particularly concerning in enterprise environments. If a malicious actor gains administrative privileges on a terminal server — a common setup in corporate IT — they could potentially dump the memory of all logged-in users' Edge processes and harvest every saved password in one sweep.

'When you save passwords in Edge, the browser decrypts every credential at startup and keeps them in memory,' the researcher explained. 'This happens even if you never visit the sites those credentials belong to.'

Microsoft Defends Its Design Philosophy

Microsoft's response has been notably unapologetic. A company spokesperson stated that the behavior is intentional, designed to 'speed up the login and authentication flow for end users.' The company framed it as a calculated trade-off rather than an oversight.

The spokesperson emphasized that 'security and safety are cornerstones of Microsoft Edge,' and noted that exploiting this behavior requires a device that has already been compromised. In Microsoft's view, if an attacker already has admin-level access to a machine, the user has bigger problems than plaintext passwords in memory.

This argument has some technical merit. Memory-reading attacks typically require elevated privileges, and a fully compromised machine exposes users to countless other risks. However, security experts argue that defense-in-depth principles demand minimizing exposure at every layer — even when other defenses have failed.

Microsoft also indicated it would 'continue to evaluate' design choices in this area, leaving the door open for potential future changes without committing to any specific timeline or modification.

Why This Matters More Than Microsoft Suggests

While Microsoft's 'the device is already compromised' argument sounds reasonable on the surface, several factors make this more concerning than the company acknowledges.

First, terminal server environments are widespread in enterprise settings. Organizations running Windows Server with Remote Desktop Services often have dozens or even hundreds of users logged in simultaneously. A single compromised admin account could expose the passwords of every user on that server.

Second, memory-scraping malware is not exotic. It has been a staple of cybercriminal toolkits for years, famously used in the Target data breach of 2013 and countless point-of-sale attacks. Tools like Mimikatz make memory dumping trivially easy for anyone with the right access level.

Third, the principle of least privilege and defense in depth are foundational to modern cybersecurity. The argument that 'the machine is already compromised' dismisses the value of secondary defenses — the very defenses that often prevent a minor breach from becoming a catastrophic one.

• Enterprise terminal servers could expose hundreds of users' credentials simultaneously
• Memory-scraping malware is widely available and well-understood by attackers
• Defense in depth principles argue against unnecessary plaintext exposure
• Compliance frameworks like SOC 2, ISO 27001, and GDPR may view this as a design weakness
• Competitive browsers have demonstrated that on-demand decryption is technically feasible without significant performance loss

How Edge Compares to Other Browsers

The comparison with Chrome is particularly damaging to Microsoft's position. Both browsers share the same Chromium codebase, which means Edge's behavior is not a limitation inherited from the underlying engine — it is a deliberate modification or addition by Microsoft's engineering team.

Chrome's approach is more conservative: passwords remain encrypted in memory until the user actively triggers a decryption event, such as clicking on a password field that triggers autofill or opening the built-in password manager. This means the window of exposure is limited to the moments when a credential is actually in use.

Firefox, which uses its own Gecko engine, takes yet another approach. Mozilla's browser supports a primary password (formerly called a master password) that encrypts the entire credential store with user-supplied key material. Without entering this primary password, saved credentials remain encrypted and inaccessible — even to the browser itself.

Apple's Safari relies on the system-level Keychain for credential storage, which integrates with hardware security features like the Secure Enclave on Apple Silicon Macs. Passwords are decrypted on demand and benefit from hardware-backed protection.

What Users and IT Admins Should Do Now

For individual users concerned about this behavior, the most immediate mitigation is to stop storing sensitive passwords in Edge and switch to a dedicated password manager like 1Password, Bitwarden, or Dashlane. These tools manage their own encryption and do not rely on the browser's credential storage.

Enterprise IT administrators should take more comprehensive steps:

• Audit terminal server environments for Edge password storage usage
• Deploy Group Policy settings to disable Edge's built-in password manager across the organization
• Mandate a centralized password management solution that offers enterprise-grade encryption
• Enable credential guard on Windows systems where available to protect memory from unauthorized access
• Monitor for memory-dumping tools like Mimikatz in endpoint detection systems
• Consider alternative browsers for environments with elevated security requirements

For organizations subject to regulatory compliance requirements, this design choice may warrant a formal risk assessment. Auditors reviewing SOC 2 or ISO 27001 controls could view unnecessary plaintext credential exposure as a finding, particularly in shared computing environments.

Looking Ahead: Will Microsoft Change Course?

Microsoft's response leaves room for future adjustments, noting that design choices in this area 'need to balance performance, usability, and security.' The company said it would continue evaluating its approach, though no specific changes or timelines were announced.

Public pressure could accelerate a shift. The security research community has been vocal about the finding, and enterprise customers — Edge's most valuable user base — are likely to raise concerns through private channels. Microsoft has historically been responsive to enterprise security feedback, particularly when it threatens adoption of its products in regulated industries.

The broader trend in the browser market is moving decisively toward more granular, on-demand credential handling. With Chrome, Firefox, and Safari all implementing more conservative approaches, Edge's current design increasingly looks like an outlier rather than a reasonable alternative.

If Microsoft does not address this voluntarily, it may face pressure from another direction: cybersecurity insurance providers. Insurers are increasingly scrutinizing the specific tools and configurations used by their policyholders, and a browser that stores all credentials in plaintext memory could become a factor in risk assessments and premium calculations.

For now, the message to users and administrators is clear — understand the risk, evaluate your exposure, and take proactive steps to protect your credentials regardless of what Microsoft decides to do next.