Microsoft Reverses Course, Stops Storing Edge Passwords in Plaintext in Memory
Microsoft is changing Edge's password handling so that saved credentials are no longer decrypted and held in plaintext in process memory at startup, closing a long-standing weakness unique among Chromium browsers.
Microsoft has announced a significant change to how the Edge browser handles saved passwords, moving away from a practice that kept all credentials decrypted in process memory for the entire browser session. The change, already live in the Edge Canary, will roll out to all channels in build 148 and newer. This defense-in-depth improvement makes it harder for attackers with device access to harvest all saved passwords.
Previously, Edge decrypted the entire saved-password store on startup and kept all credentials resident in process memory in clear text for the whole browser session, regardless of whether a given credential was ever used or not. A short while ago, Microsoft said this plaintext password behavior was by design. Now, Microsoft has changed course, and the new password-handling behavior is already present in Canary (the experimental preview version of Microsoft Edge), with rollout prioritized across all channels.
The researcher who originally flagged the issue said: "Edge is the only Chromium-based browser I've tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory." Microsoft Edge Security Lead Gareth Evans said Microsoft is now taking a broader view and has committed to changing Edge so that saved passwords are no longer loaded into memory on startup as clear text. As a result, exposure will be reduced as a defense-in-depth improvement. That means even if an attacker has administrative control of a device, it becomes harder to harvest all the passwords.
According to Microsoft: "Going forward, Microsoft Edge will no longer load all saved passwords into memory at browser startup. Instead, passwords will be decrypted only when needed for autofill or password management operations." The change is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer across Stable, Beta, Dev, Canary, and Extended Stable).
The reason for this change is probably more reputational and strategic rather than an acknowledgment of an exploitable vulnerability. Microsoft seems to want to align reality with its "secure by design" messaging and reduce a very visible, easy-to-demo weakness, even if it still doesn't treat it as a classic memory-disclosure bug. Passwords in your browser Please note that this change just means Edge will become roughly as secure an option to store passwords as every other Chromium-based browser.
Your browser password manager gives you ease of use, but that comes with some security tradeoffs. Of course, password managers aren't foolproof either, so it's important to decide for yourself where you store your passwords. If you're confident a website is safe, and anyone who can access it under your account wouldn't learn anything sensitive, feel free to store the password in your browser, but disable autofill so you stay in control. Use MFA where possible. It enormously reduces the risk if someone gets hold of your password. And avoid using the browser password manager to store your credit card details or other sensitive personally identifiable information, such as medical information.