Microsoft Edge stores all passwords in cleartext in RAM by design

When you launch Microsoft Edge, the browser quietly decrypts every password it has ever stored—regardless of whether you plan to use them—and keeps the entire collection in plaintext memory until you close the application. This behavior, confirmed by security researchers and replicated across multiple outlets, is not a bug but a deliberate architectural choice by Microsoft, justified as a balance between performance, usability, and security.

How Edge’s Password Vault Works

Edge’s built-in password manager operates like most browser-based solutions: you save credentials on a website, and the browser offers to autofill them on future visits. The difference lies beneath the surface, in what happens when the browser starts. Unlike other Chromium-based browsers, Edge loads every saved password into memory in cleartext as soon as it launches. This means the credentials for sites you visited years ago or never revisited remain decrypted and accessible for the entire session, whether or not they are needed.

The decryption process is eager and complete. Chrome, Edge’s technical foundation, takes a more cautious approach. It decrypts credentials only when required—for example, during autofill or when explicitly revealing a password—and stores the decrypted value in memory only temporarily. The rest of the vault remains encrypted. Chrome also implements Application-Bound Encryption (ABE) on Windows, which ties decryption keys to the authenticated Chrome process running at SYSTEM level. This makes it far harder for attackers to extract keys even if they gain administrative access, as the decryption is non-portable across processes.

Edge, however, skips both safeguards. It decrypts the entire password vault at launch and holds it in cleartext within the msedge.exe process. There is no equivalent of ABE, meaning the decrypted credentials are accessible as long as the browser remains open, regardless of the user’s session or intent.

The Security Community’s Response

The discovery was first disclosed by security researcher Tom Jøran Sønstebyseter Rønning at Palo Alto Networks Norway’s "BIG Bite of Tech" conference on April 29, 2026. A demonstration video posted on LinkedIn on May 4 went viral, drawing thousands of views within hours and prompting coverage from major security outlets including Cybernews, DarkReading, SANS Internet Storm Center, PCWorld, Security Magazine, and Heise. Microsoft’s official response, attributed to the Edge team, framed the behavior as intentional design rather than a vulnerability.

The company argued that process-memory inspection requires elevated privileges, and if an attacker already has those, the device is effectively compromised. Therefore, the cleartext credentials in memory are considered a non-issue. While technically accurate in a narrow sense, this argument oversimplifies real-world threats in 2026. Credential-stealing malware does not operate in a vacuum. It adapts to the environment it encounters.

Why This Design Poses Real Risks

Microsoft’s defense hinges on the assumption that an attacker with administrative or SYSTEM-level access is already a lost cause. This overlooks several critical scenarios where elevated privileges are not a prerequisite for memory inspection—or where the local-admin distinction is meaningless.

• Shared workstations in healthcare, education, retail, and contact centers often grant multiple users administrative-equivalent rights without reaching SYSTEM level. Malware leveraging process-memory inspection can target other users’ active Edge sessions, harvesting credentials even when the attacker lacks full SYSTEM access.

• Kiosk and unattended machines, commonly found in libraries, hotels, or public terminals, are frequently left logged in and unlocked. These environments are prime targets for credential harvesting, and Edge’s design—storing everything in cleartext regardless of use—makes them particularly vulnerable.

• Legitimate tools used by forensic investigators and incident responders often read process memory. Malware that mimics these tools operates in the same address space, exploiting the same access channels. Defense-in-depth strategies, which other browsers implement through lazy decryption and ABE, are explicitly designed to mitigate such risks.

The deeper issue is not technical but philosophical. Microsoft’s response redefines the threat model: it accepts that an admin-level attacker can access decrypted credentials and treats this as the acceptable boundary. While this is a valid position to take, it conflicts with the expectations users reasonably hold when enabling a password manager. Other browsers in the same family have chosen a different balance—one that prioritizes limiting exposure even in partially compromised scenarios.

What Users Can Do

For users concerned about this design, the options are limited but actionable. Disabling the built-in password manager eliminates the risk but sacrifices convenience. Alternatively, users can migrate to a third-party password manager that encrypts credentials locally and does not rely on browser-based storage. Some enterprise environments may also enforce Group Policy settings to restrict Edge’s password storage behavior, though this requires administrative control.

The architectural choice Microsoft has made reflects a trade-off between usability and security. But in an era where credential theft remains a top attack vector, the question is whether that trade-off aligns with user expectations—or whether Edge’s "by design" approach leaves too many doors unlocked.