Microsoft Edge is storing passwords as plain text? Heres what Microsoft says.
Source: Mashable Tech
Discovery
Researcher Tom Jøran Sønstebyseter Rønning found that Microsoft Edge loads every saved password into memory at startup—in plaintext. In a thread on X, Rønning detailed how the credentials are decrypted even if a user doesn’t visit a site that uses the password manager during the session.
“If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes,” Rønning writes.
Comparison with Other Chromium‑Based Browsers
Edge is Microsoft’s proprietary browser built on the Chromium open‑source project. According to Rønning, this issue does not appear in other Chromium‑based browsers such as Google Chrome.
“Edge is the only Chromium‑based browser I’ve tested that behaves this way,” Rønning said. “By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.”
Microsoft’s Response
Rønning contacted Microsoft before publicly disclosing the findings. Microsoft reportedly responded that the behavior is “by design.” The German tech site Heise Online replicated the issue and noted that, per established cybersecurity best practices, “passwords should only be decrypted at the time of use and deleted from memory very shortly thereafter.”
Recommendations
Given Microsoft’s stance, users concerned about the potential exposure of saved passwords may want to consider alternative password managers or browsers that do not load passwords into memory in plaintext.
Mashable has reached out to Microsoft for further comment and will update this piece if additional information becomes available.