Microsoft Edge Stores Your Passwords in Plaintext. What That Means.

If your team saves passwords in the Microsoft Edge browser, there—s a security issue you need to know about right now. A security researcher has confirmed that Edge loads every saved password into memory as readable text the moment the browser opens, and keeps them there for the entire session, whether those credentials are ever used or not. Microsoft says this is intentional.

What the Researcher Found

Norwegian security researcher Tom Jøran Sønstebyseter Rønning, an offensive security specialist and technical team lead at Statnett SF, tested every major Chromium-based browser to see how each handles credentials in memory. Edge was the only one that decrypts the entire password vault at startup and holds all of it in plaintext RAM for the full duration of the browser session.

"This happens even if you never visit a site that uses those credentials," Rønning wrote. He published a proof-of-concept tool on GitHub demonstrating that saved Edge credentials can be extracted directly from process memory without opening the password manager, bypassing Edge—s own authentication prompt entirely.

When Rønning reported the behavior to Microsoft, the company confirmed it was a deliberate design decision. A Microsoft spokesperson told Dark Reading: “Design choices in this area involve balancing performance, usability and security, and we continue to review it against evolving threats.” Microsoft’s recommended mitigation was to keep devices patched and run antivirus software.

Compounding Risks

The distinction worth understanding here is not just that Edge stores passwords insecurely. It’s how different that approach is from every other major browser. Chrome, Brave and other Chromium-based browsers use a feature called Application-Bound Encryption, which decrypts a password only at the moment it’s needed and binds the decryption keys to an authenticated browser process. Passwords appear briefly in plaintext during autofill, then are removed.

Edge does none of this. All saved credentials sit in readable memory from startup to close, whether you use one of them or not.

This creates a meaningfully larger attack surface. An attacker who gains code execution on a machine, through phishing, a malicious download, or a compromised remote management tool, can simply read process memory. No cryptography needs to be broken. No unusual activity occurs from the browser—s perspective. The credentials are already decrypted and waiting.

The risk compounds significantly in shared environments. Rønning specifically demonstrated an attacker with administrative access on a terminal server, virtual desktop infrastructure, or shared workstation can pull stored credentials from every logged-on user running Edge simultaneously. That case reflects exactly how attackers move through enterprise environments: gain a foothold, escalate privileges, harvest credentials, expand access.

What Microsoft’s Response Means

Microsoft—s position is that exploiting this behavior requires the device to already be compromised. That is technically accurate. But it misses the point in a way that matters for businesses. The credential theft problem is rarely about a single compromised machine in isolation. It—s about what happens after that first foothold. Plaintext passwords in memory are what allow hackers to move from one compromised account to 10, from one device to the entire network. They are the mechanism by which a limited intrusion becomes a full incident.

It’s also worth noting Germany’s Federal Office for Information Security (BSI) didn’t include the Microsoft Edge password manager in its December 2025 evaluation of 10 popular password managers. The BSI tested Chrome and Firefox password managers alongside eight dedicated tools, but Edge didn’t make the cut. This finding lands in that broader context of institutional skepticism toward Edge as a credential store.

Connection to Infostealer Malware

This disclosure lands in the middle of a documented surge in infostealer malware, which is designed to do exactly what Rønning’s proof-of-concept demonstrates: read credentials from browser memory and transmit them to attacker-controlled servers. According to Flashpoint’s Global Threat Intelligence Index, credential theft via infostealers surged 800 percent in the first half of 2025, with 1.8 billion credentials stolen from 5.8 million devices. Edge’s architecture makes that harvest easier, not harder.

What Your Business Should Do

The remediation is the same regardless of which browser your team uses but it—s more urgent for Edge users. Stop storing passwords in browsers. Move all credentials to a dedicated password manager, then delete everything stored in Edge. If you need step-by-step instructions for removing saved passwords from Edge and every other major browser, see STACK Cybersecurity’s guide on how to remove saved passwords from browsers.

For companies managing Edge across a fleet of Windows devices, group policy provides a direct path to enforcement. In the Group Policy Editor, navigate to User Configuration > Policies > Administrative Templates > Microsoft Edge > Password manager and protection and disable the “Enable saving passwords to the password manager” policy. This prevents new passwords from being saved, though previously stored credentials will remain until manually deleted. Pair the policy change with a migration to an enterprise password manager to close both gaps.

Dedicated password managers handle credentials differently by design. They encrypt the vault with keys that never leave the user’s device, require explicit authentication before revealing any credential, and do not load the entire vault into memory at startup. That architecture does not eliminate risk entirely, but it removes the specific exposure this disclosure describes.

The question for any business running Edge is whether passwords currently saved in that browser are worth the exposure. Given that Microsoft has stated this is by design and offered no timeline for changing it, the answer is straightforward: they aren’t. Contact a cybersecurity firm for guidance migrating your team to a dedicated password manager and removing credentials from browsers across your environment.

This is an abridged version of an article posted to STACK’s blog. Read the full article.

About the Author

Tracey Birkenhauer is Chief Impact Officer at STACK Cybersecurity. She may be reached at 734-744-5300 or tracey@stackcyber.com.

STACK Cybersecurity is an MMA Premium Associate Member and has been an MMA member company since December 2024. Visit online: stackcyber.com.