Microsoft Edge Stores Your Passwords in Plaintext

Microsoft Edge Stores Your Passwords in Plaintext — By Design

A security researcher demonstrated this week that Microsoft Edge decrypts every credential saved in its built-in password manager the moment the browser starts, then keeps the entire vault in plaintext memory until the browser closes. Microsoft was notified, reviewed the behavior, and confirmed it operates as intended. For any business whose employees use Edge as their default Windows browser, that's a problem worth a meeting this week — not because of a remote zero-day, but because of how cleanly it amplifies the kind of compromise most companies are already vulnerable to.

What Microsoft Edge actually does with your passwords

The disclosure came from researcher Tom Jordan Sonstebyseter Ronning, who tested every major Chromium-based browser to see how each handles saved credentials in memory. Edge stood out. Where Chrome, Brave, and Opera decrypt a single password only when it's needed — for autofill or when the user clicks "show password" — Edge decrypts the full vault at startup and leaves it sitting in process memory for the entire session. According to Ronning, that happens whether or not the user ever visits a site that uses any of those credentials.

Chrome and the other Chromium browsers also use Application-Bound Encryption to lock the keys to an authenticated process, which makes broad memory scraping much less effective. Edge, in this scenario, doesn't apply that protection. The researcher published a proof-of-concept showing that pulling the cleartext credentials out of memory doesn't require a zero-day or anything exotic. It just requires the ability to read another process's memory, which on a Windows endpoint is a function of having sufficient privilege — exactly the kind of privilege a foothold-stage attacker is already working to acquire.

Microsoft's response: "by design"

When Ronning reported the issue, Microsoft replied that the behavior is intentional. The company told Windows Central that the scenario described would require an already-compromised device, and that the design reflects a deliberate balance between performance, usability, and security. Loading the credential vault into memory at startup, in Microsoft's framing, is "an expected feature of the application" that lets users sign in quickly. The recommended mitigation is to keep systems patched and antivirus current.

That's a defensible position from a vendor's perspective. The risk only materializes after an attacker is already inside. From a defender's perspective, though, "after the attacker is already inside" describes an enormous number of incidents that happen every day. Infostealer malware — the category of threat that scrapes browser data, session cookies, and saved credentials from compromised endpoints — already lives there. Edge's design hands those tools a tidier package than they'd otherwise get.

Why this matters for your business

Most small and mid-market companies have employees using Edge as the default browser on Windows machines. Those browsers double as password managers, holding logins for the customer portal, the vendor extranet, the payroll service, the bookkeeping tool, the HR system, and a dozen SaaS dashboards nobody in IT has fully inventoried. When an endpoint is compromised — through a phishing click, a malicious document, a stolen session token, a contractor's infected laptop plugged into your network — the attacker's first job is to grab as much credential material as possible before a defender notices.

If those passwords are stored in Edge, every one of them is sitting in memory in cleartext, including credentials the user hasn't logged into in months. That changes the math on a single-machine compromise. Instead of one user's session, the attacker now has standing access to your finance, HR, vendor, and customer systems — and they don't need a kernel exploit, a custom toolchain, or anything beyond a working infostealer to harvest it.

How an attacker turns this into a credential haul

Picture a typical small-business breach. An employee opens a malicious attachment that executes code on their laptop. The attacker has a foothold but not yet domain admin. From this position, several things happen in quick succession: the attacker pulls saved cookies from the browser, scrapes any cached credentials, and looks for things like password files, SSH keys, and cloud configuration data on disk.

With the Edge behavior in mind, that same attacker can also read the running Edge process and walk away with the user's full credential vault — every site the employee ever told Edge to remember, in cleartext. If that employee handles invoicing, the attacker has the bookkeeping login. If they handle benefits, the attacker has the HR portal. If they're the principal, the attacker may have everything, including cloud admin consoles for AWS, Azure, or Microsoft 365. This isn't speculation; the published proof-of-concept demonstrates exactly this primitive on a terminal-server scenario, where one administrator can read every other logged-in user's process memory in a single shot.

What to do this week

This isn't a five-alarm fire — there's no remote exploit and no patch to chase. It is, however, a clean policy decision a leadership team can make in one meeting and a security team can implement in a few days. The companies that handle this well will treat it as a forcing function to fix something that has been a quiet exposure for years: business credentials saved inside consumer-grade browser tooling.

Stop saving work credentials in the browser

The simplest and highest-leverage change. Set a written policy that employees do not save work credentials in their browser's built-in password manager — Edge, Chrome, or anything else. Browser password managers prioritize convenience over containment, and the Edge disclosure is a useful illustration of why "convenience over containment" is the wrong tradeoff for business credentials.

Deploy a real password manager

Give employees a sanctioned alternative. A dedicated password manager — 1Password, Bitwarden, Dashlane, Keeper, or equivalent — encrypts the vault end-to-end, decrypts individual entries only when explicitly used, and integrates with single sign-on for the systems that support it. This is not optional infrastructure for a 25-person company anymore.

Pair every saved credential with multi-factor authentication

If a saved password is also protected by a second factor, an infostealer scrape becomes a much smaller problem. MFA enforcement on every system that supports it — email, finance, HR, vendor portals, cloud admin consoles — is the single biggest mitigator of stolen-credential incidents and should be the audit baseline. Where possible, move toward phishing-resistant MFA (passkeys or hardware tokens) for high-value accounts.

Tighten endpoint detection and response

Memory-scraping infostealer malware leaves signals: anomalous process access patterns, scheduled tasks, persistence keys, traffic to known command-and-control infrastructure. A managed detection and response service, or a properly tuned EDR product, catches those signals before the credential haul leaves the environment. If the current endpoint protection is consumer-grade antivirus, this disclosure is one more reason to upgrade it.

Update your incident response plan

When a compromised endpoint is investigated, "rotate the user's saved credentials" should be a standard step — not an afterthought remembered on day three. Build a saved-credential inventory question into the Incident Response playbook and have a script ready for forced password resets across the systems most likely to contain saved logins. The faster a compromised vault becomes worthless, the smaller the blast radius.

Where a vCISO fits

This is exactly the kind of decision a fractional CISO is built for: low-drama, high-leverage policy work that closes a real exposure without buying new technology. A virtual CISO writes the browser-credential policy, rolls out the approved password manager, sets the MFA enforcement standard, audits which employees still have work credentials saved in Edge, and updates the incident response plan to reflect the new reality. None of that requires a full-time hire; it requires someone who has done it before and can move quickly.

Purple Shield Security helps mid-market and regulated businesses make changes like this stick — through vCISO and fractional CISO services that give a leadership team a security executive on demand, plus risk assessments that surface the kind of quiet exposure this Edge disclosure highlights. If your team is using Edge today and you don't have a written policy on browser-stored credentials, that's a conversation worth having this week. Get in touch to book a working session.