Microsoft Edge keeps every saved password in cleartext memory. Microsoft calls it 'by design'.

Microsoft Edge loads every saved password into cleartext process memory the moment it launches. The decrypted credentials sit there until the browser closes, even if the user never opens a tab that needs one.

That writeup, posted by independent researcher @L1v1ng0ffTh3L4N on April 29, kicked off a 498-point Hacker News thread the same day. Microsoft confirmed the behavior to the researcher and called it “by design.” Chrome, Firefox, Brave, and Vivaldi all decrypt credentials only when the user actively needs them.

What the researcher actually showed

The disclosure matters because Edge ships as the Windows default and now hosts the synced passwords of millions of corporate users who were nudged off Internet Explorer onto a browser they assumed inherited Chrome’s security posture. The proof is a small Windows tool that scans the Edge process’s memory after launch and lists every plaintext credential it finds. Run it cold, browse to nothing, and the dumper still returns the full saved-password store. Run the same tool against Chrome on the same machine and it returns an empty set until you visit a saved site or open the password manager UI.

The technical difference is when decryption happens. Chromium upstream decrypts each credential at the moment of autofill or when the user opens the manager. Edge fetches and decrypts the entire vault as part of its startup sequence and holds the cleartext for the lifetime of the process. Microsoft’s response to the disclosure, per the researcher, was that Windows protects per-user process memory at the OS level, so eager decryption is acceptable.

Why the threat model isn’t trivial

The top reply on Hacker News points at the Chromium security FAQ, which formally puts local code-execution out of scope. “Physically-local attacks” and any application running as the user can read your data once it’s running, the doc says, and Chrome doesn’t try to defend against that case. By that argument Edge is no worse than Chrome, because both will surrender their secrets to a process that already runs as you.

That reasoning skips the case the researcher cares about. On a Windows terminal server, an administrator can read the memory of every logged-on user’s process without compromising any individual credential or planting a keylogger. They open the Edge process and copy out the vault. Chrome on the same host yields nothing until the user actively types. On a multi-user box, the window between “browser opened” and “first password used” is the entire workday.

Mitigations exist. Windows Credential Guard and modern enterprise policies isolate sensitive process memory, and any password manager that lives outside the browser (Bitwarden, KeePass) sidesteps the issue. None of those are the default on a personal Edge install.

What “by design” actually means

Microsoft’s reply lines up with how Edge tends to diverge from upstream Chromium: it inherits the engine and then tunes for first-launch experience and sync. Edge has historically chosen eager paths where Chrome chooses lazy, and Microsoft has historically declined to treat those choices as bugs. Two things follow.

First, this isn’t going to land in a security update on its own. There’s no CVE, the researcher’s tool is positioned as an awareness demo rather than an exploit, and Microsoft doesn’t view the behavior as a defect. Second, anyone running synced Edge passwords across Windows boxes has the full decrypted vault in RAM the whole time the browser is open. That is the part that has surprised IT admins, especially after the recent run of Microsoft credential-handling regressions like the ASP.NET data-protection bug in April that forced an out-of-band patch.

What this means for you

On a personal machine you control, the practical risk is roughly the same as any other Chromium browser. An attacker who can already run code as you can read your passwords, full stop. If you save fewer than ten of them or you accept the threat model, you don’t need to do anything.

On a shared Windows host, a terminal server, or a managed workstation where another user has admin rights, Edge is materially worse than the alternatives. The cheap fix is a dedicated password manager that runs outside the browser. Bitwarden’s free tier handles desktop and mobile and never decrypts the vault into the browser process. KeePass works offline on whatever you have around.

If you run a fleet, treat this as a config item now, not a silent default. Confirm Credential Guard is on, audit which non-admin processes can read Edge’s memory, and decide whether your endpoint policy still allows browser-managed credentials at all. Microsoft’s answer puts the burden on you, and that’s where it stays until the next time the threat model gets revisited.