Microsoft Edge stores all your saved passwords unencrypted in memory

[Daniel Sims]

WTF?! Microsoft advertises its password manager as having robust encryption on par with well-regarded third-party options. However, security researchers have discovered that the browser effectively decrypts all passwords while it is running, potentially putting them within reach of hackers with local access to a device. Edge has maintained this behavior for years, and Microsoft does not plan to change it.

Security researcher Tom Jøran Sønstebyseter Rønning recently shared evidence that Microsoft's web browser-based password manager stores all of its saved passwords in memory without encryption while running. He released and demonstrated a simple proof of concept that displays the passwords and their associated accounts.

Microsoft's documentation claims that Edge uses on-disk AES encryption, similar to independent password managers such as Bitwarden, with encryption keys stored in a protected location on the OS. In theory, this prevents hackers from retrieving passwords from Microsoft's servers or from a local PC without logging in.

– Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026

However, Rønning discovered that the browser moves the passwords into memory in cleartext as soon as it opens, despite requiring authentication to view passwords. Edge exhibits this behavior with all passwords, even those that are never used during a session.

Furthermore, passwords remain visible in RAM if a user logs into another account on the same device without closing Edge. This could allow an attacker with admin privileges to view all passwords for any users who have left Edge running, making Microsoft's password manager far less safe on shared PCs.

This behavior is unique among Chromium-based browser password managers. For example, Chrome only decrypts passwords when users need them.

Another researcher, Zeev Ben Porat, described the same issue in 2022, confirming that Edge has held cleartext passwords in RAM for at least four years. When Rønning reported his findings to Microsoft, the company informed him that the behavior was "by design."

Users shopping for a password manager should probably avoid browser-based managers altogether. While some, like Chrome's, are more secure than they were years ago, tying passwords to a single browser makes them more difficult to access outside of that browser. Additionally, losing access to the account tied to the browser, such as a Google account for Chrome or a Microsoft account for Edge, puts much more at stake.

While browser-based managers are attractive since they lack subscriptions, TechSpot considers Bitwarden the best free choice. Dashlane, KeePass, and 1Password are also recommended.

Permalink to story:

Microsoft Edge stores all your saved passwords unencrypted in memory

 

[Vanderlinde]

"By design" meaning they had no intention of actually releasing a secure browser password storage feature.

 

[Hexic]

Reason #328 why I don’t use Edge.

Brave all day long.

 

[dualkelly]

MS really is worthless all around. windows 11 and their associated products are worthless.

 

[BabyFaceLee]

I guess these types of security issue are understandable when it's such a small company.

 

[wiyosaya]

Of course it does!!! Why would anyone expect anything secure from M$? /s

 

[wiyosaya]

I can see content providers that have used Edge as the basis for their apps are absolutely going to love this behavior.

I've always wondered why content providers based their apps on Edge. Then again, I'm sure its because it costs less to develop their apps if those apps are based on Edge. - In the immortal words of Forrest Gump - STUPID IS AS STUPID DOES!!

Then again, maybe this will spur them to go back to apps that have no basis in Edge. Too much to hope for, probably.

Even though this appears to require direct physical access to a PC to exploit, its still a risk, IMO.

M$ Edge - A POS by any other name that smells as bad.

 

[brucek]

Please obtain and publish the Microsoft communication declaring this behavior as intended, ideally including the author.

 

[Theinsanegamer]

Edge is based on Chromium, and I believe this is a Chromium issue,no?

I have heard of issues with users sharing chrome with different profiles being able to use other users logon info, so it may not be just a MS issue.

Either way as an "intended operation" this is awful security.

 

[brucek]

Edge is based on Chromium, and I believe this is a Chromium issue,no?

I have heard of issues with users sharing chrome with different profiles being able to use other users logon info, so it may not be just a MS issue.

Either way as an "intended operation" this is awful security.

Article's sixth paragraph: "This behavior is unique among Chromium-based browser password managers. For example, Chrome only decrypts passwords when users need them."

 

[trparky]

If you look at other password managers like BitWarden, though the data is stored in encrypted format while in memory, the decryption key isn’t. At that point it would be trivial to get the key and decrypt the data.

With that being said, the only way to stop this from happening would be using TPM or some other secure data storage vault.

 

[Alpine7995]

The detail that Edge decrypts every password on launch... including ones never used during the session is what separates this from a reasonable engineering tradeoff into something harder to defend. Chrome decrypts on demand. Edge apparently decided the right moment to decrypt your banking credentials was the moment you opened a tab to check the weather.

 

[Vanderlinde]

Yeah but I never would have trusted microsoft with any "encryption" based service, there's plenty of examples out there where for example bitlocker does not really do what it's supposed todo. It's encryption for the masses, but not encryption in a way you would think. How many times with a warrant Microsoft has given full OS details to feds just to comply, but at the same time keep gathering more and more data in that regard.

linux just wins terrain left and right because of the cluster****(s) or deliberate design choices MS is doing and simply not being fully transparant about it. Maybe in a few years after it's widely adopted, then yes.

 

[onebignerd]

Yeah but I never would have trusted microsoft with any "encryption" based service, there's plenty of examples out there where for example bitlocker does not really do what it's supposed todo. It's encryption for the masses, but not encryption in a way you would think. How many times with a warrant Microsoft has given full OS details to feds just to comply, but at the same time keep gathering more and more data in that regard.

linux just wins terrain left and right because of the cluster****(s) or deliberate design choices MS is doing and simply not being fully transparent about it. Maybe in a few years after it's widely adopted, then yes.
[/QUOTE|

Windows and Linux browsers use some variant of AES 256 bit encryption for credentials. Windows BitLocker uses XTS-AES-128 a top rated and popular encryption algorithm, supported by File Vault (MacOS), VeraCrypt and OpenSSL. So how is Windows 11 encryption weaker? If you don't store your BitLocker recovery keys in the cloud\OneDrive, Microsoft has no way to access to your BitLocker encrypted drive(s) even with a warrant.

Been known for some time now that storing credentials in the browser is not secure and a password manager has always been recommended. So storing credentials in the browser on Windows or Linux gets zero sympathy from me.

 

[GrayDragon]

Hmm, well, I do backup by writing 99.9 % of my passwords down on Rolodex cards. I don't save passwords on Edge, I only use it when someone requires it, but not for logging in. I guess that was a smart decision on my part. BTW, it's really hard to find a good Rolodex these days, had to go begging on eBay to find one...the cards no problem though.

 

[LimyG]

So an out of service W10pro - (in my case with Edge totally removed) is a security risk according to Mslop.

An up to date fully patched W11 is "the most secure OS ever." Up date now!!

BTW: users should note that all of your stored passwords in our secure browser, are not stored using encryption.

This corporation is joke.

I wonder what Bill thinks of Windows in 2026. He's too polite to say I suppose.

 

[OortCloud]

The exodus of talent from the dev team at MS has left them with these kind of issues all the time. The quality of the software being tacked onto Windows 11 over the past four years is atrocious. The latest iteration of the Start Menu - probably the most important UI in the OS as it is here most users perform most of their interactions - is the high-water-mark of this incompetence and arrogance. The appalling Categories view they added beggars belief. It categorises almost nothing in a sensible way and then lets the user do nothing about it - no renames, no change categories, no move categories about, nothing. It's slow and it's buggy. There are so many devs writing 3rd party replacements that work 10 times as well and are put together by teams a fraction of the size. It's utterly incomprehensible how it can be so bad.

 

[mjuice7]

Why would anyone trust microslop's edge browser, or any browser for that matter, to keep their passwords secure?

 

[Gravitytr1]

MS really is worthless all around. windows 11 and their associated products are worthless.

Not worthless. Malicious and dangerous.

 

[Gravitytr1]

The exodus of talent from the dev team at MS has left them with these kind of issues all the time. The quality of the software being tacked onto Windows 11 over the past four years is atrocious. The latest iteration of the Start Menu - probably the most important UI in the OS as it is here most users perform most of their interactions - is the high-water-mark of this incompetence and arrogance. The appalling Categories view they added beggars belief. It categorises almost nothing in a sensible way and then lets the user do nothing about it - no renames, no change categories, no move categories about, nothing. It's slow and it's buggy. There are so many devs writing 3rd party replacements that work 10 times as well and are put together by teams a fraction of the size. It's utterly incomprehensible how it can be so bad.

It makes sense when you consider intention.

There's a reason they push slop

 

[jeffbert]

Hmm, well, I do backup by writing 99.9 % of my passwords down on Rolodex cards. I don't save passwords on Edge, I only use it when someone requires it, but not for logging in. I guess that was a smart decision on my part. BTW, it's really hard to find a good Rolodex these days, had to go begging on eBay to find one...the cards no problem though.

I had used POST-ITs for that purpose, until it became too difficult to keep track. Now I made a table on WORD and printed on a Legal-sized paper. Columns for site name, log-in, & PW; the latter penciled in; former computer printed, & sorted alphabetically.

 

[LimyG]

The exodus of talent from the dev team at MS has left them with these kind of issues all the time. The quality of the software being tacked onto Windows 11 over the past four years is atrocious. The latest iteration of the Start Menu - probably the most important UI in the OS as it is here most users perform most of their interactions - is the high-water-mark of this incompetence and arrogance. The appalling Categories view they added beggars belief. It categorises almost nothing in a sensible way and then lets the user do nothing about it - no renames, no change categories, no move categories about, nothing. It's slow and it's buggy. There are so many devs writing 3rd party replacements that work 10 times as well and are put together by teams a fraction of the size. It's utterly incomprehensible how it can be so bad.

Very well put, and I fully agree with you.
One more little niggle which I finally did manage to achieve on my W11pro "test machine" is that there is no simple quick way to created a restore point. I always make one before doing anything like installing or updating something.
I figured it out and now have a nice one click shortcut on my desktop W11 (same as is easy to do with w10) so I can make a restore point with literally a double click and name it.

WTF do these sloppy a****holes keep removing useful things. (only for those inclined to waste time reconfiguring stuff so we can do it easily and quickly. Everything can me done, but we shouldn't need to add back in basic, convenient functionality by whatever means because those ******s removed it.)

I mean a restore point for instance. That can be very useful if something goes wrong, which with W11 seem to be by design. Unbelievable what Sata and his bots have done to Windows.

I wish I could rep you x 2!!

 

[LimyG]

While I'm at it, and apologies for being off topic but regarding A.I.

I think it has massive potential and is amazing tech especially for medecine, sciences and much more.

But if anyone wanted to give A.I. a bad name, not trust it, and even be afraid of it, then we have the perfect way to accomplish that dubious goal.
Follow the way MicroSlop have implemented it into Windows. Nuff said.

 

[LimyG]

I had used POST-ITs for that purpose, until it became too difficult to keep track. Now I made a table on WORD and printed on a Legal-sized paper. Columns for site name, log-in, & PW; the latter penciled in; former computer printed, & sorted alphabetically.

Nice, and 99.9% safe. Why not 100%?
If that PC is connected to the internet, and running windows, well there is the only weak link in the chain. Your OS.

Seriously, I admire your approach to security.

 

[LimyG]

Why would anyone trust microslop's edge browser, or any browser for that matter, to keep their passwords secure?

Regarding the billion or whatever number of people use Windows + Edge, it's not really a question of why.

The masses do it and will do it. They will be unaware of this topic.

All of us here have an interest in tech. The majority of PC users dont really. They just want a computer, mail, browsing etc.

Then blindly (NOT their fault) trust the most untrustworthy major Corp in the world to keep them safe a and secure. Probably not even that. They have auto update on and don't really give security such as simple encryption of passwords a second thought.

EDIT: But sadly, you are correct it seems. Especially with Edge.