WTF?! Microsoft advertises its password manager as having robust encryption on par with well-regarded third-party options. However, security researchers have discovered that the browser effectively decrypts all passwords while it is running, potentially putting them within reach of hackers with local access to a device. Edge has maintained this behavior for years, and Microsoft does not plan to change it.
Security researcher Tom Jøran Sønstebyseter Rønning recently shared evidence that Microsoft's web browser-based password manager stores all of its saved passwords in memory without encryption while running. He released and demonstrated a simple proof of concept that displays the passwords and their associated accounts.
Microsoft's documentation claims that Edge uses on-disk AES encryption, similar to independent password managers such as Bitwarden, with encryption keys stored in a protected location on the OS. In theory, this prevents hackers from retrieving passwords from Microsoft's servers or from a local PC without logging in.
– Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
However, Rønning discovered that the browser moves the passwords into memory in cleartext as soon as it opens, despite requiring authentication to view passwords. Edge exhibits this behavior with all passwords, even those that are never used during a session.
Furthermore, passwords remain visible in RAM if a user logs into another account on the same device without closing Edge. This could allow an attacker with admin privileges to view all passwords for any users who have left Edge running, making Microsoft's password manager far less safe on shared PCs.
This behavior is unique among Chromium-based browser password managers. For example, Chrome only decrypts passwords when users need them.
Another researcher, Zeev Ben Porat, described the same issue in 2022, confirming that Edge has held cleartext passwords in RAM for at least four years. When Rønning reported his findings to Microsoft, the company informed him that the behavior was "by design."
Users shopping for a password manager should probably avoid browser-based managers altogether. While some, like Chrome's, are more secure than they were years ago, tying passwords to a single browser makes them more difficult to access outside of that browser. Additionally, losing access to the account tied to the browser, such as a Google account for Chrome or a Microsoft account for Edge, puts much more at stake.
While browser-based managers are attractive since they lack subscriptions, TechSpot considers Bitwarden the best free choice. Dashlane, KeePass, and 1Password are also recommended.