Microsoft Edge Stores Your Passwords in Plaintext. What That Means.

If your team saves passwords in the Microsoft Edge browser, there's a security issue you need to know about right now. A security researcher has confirmed that Edge loads every saved password into memory as readable text the moment the browser opens, and keeps them there for the entire session, whether those credentials are ever used or not. Microsoft says this is intentional.

What the Researcher Found

Norwegian security researcher Tom Jøran Sønstebyseter Rønning disclosed the finding on X in May 2025 after presenting it at Palo Alto Networks Norway's BIG Bite of Tech conference. Rønning, an offensive security specialist and technical team lead at Statnett SF, tested every major Chromium-based browser to see how each handles credentials in memory. Edge was the only one that decrypts the entire password vault at startup and holds all of it in plaintext RAM for the full duration of the browser session.

"This happens even if you never visit a site that uses those credentials," Rønning wrote. He published a proof-of-concept tool on GitHub demonstrating that saved Edge credentials can be extracted directly from process memory without opening the password manager, bypassing Edge's own authentication prompt entirely. Security researchers have categorized this type of flaw under CWE-316, cleartext storage of sensitive information in memory, a well-documented vulnerability class that most modern credential systems are specifically designed to avoid. A Common Weakness Enumeration, or CWE, refers to software and hardware security weaknesses.

CWE-316 is a documented vulnerability classification for situations where sensitive data stays in memory in readable form longer than necessary, or where memory can be accessed by unauthorized parties. It applies not just to plain text but to any format that can be trivially reversed, including Base64 encoding. Application memory is more exposed than most people realize. Diagnostic tools generate heap dumps and memory snapshots. Crashed processes create core dump files. The operating system writes memory to disk in swap files. Debugging sessions allow direct memory inspection. Any of these can hand an attacker a readable copy of credentials that were never meant to leave the application.

Base64 is an encoding scheme that converts binary data into a string of plain ASCII characters. It's commonly used to transmit data over systems that only handle text, like email or URLs. It's not encryption. Anyone who receives Base64-encoded data can decode it instantly with free tools available anywhere online, which is why security standards treat it as effectively the same as plaintext.

When Rønning reported the behavior to Microsoft, the company confirmed it was a deliberate design decision. A Microsoft spokesperson told Dark Reading: "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats." Microsoft's recommended mitigation was to keep devices patched and run antivirus software.

Compounding Risks

The distinction worth understanding here is not just that Edge stores passwords insecurely. It's how different that approach is from every other major browser. Chrome, Brave, and other Chromium-based browsers use a feature called Application-Bound Encryption, which decrypts a password only at the moment it's needed and binds the decryption keys to an authenticated browser process. Passwords appear briefly in plaintext during autofill, then are removed.

Edge does none of this. All saved credentials sit in readable memory from startup to close, whether you use one of them or not.

This creates a meaningfully larger attack surface. An attacker who gains code execution on a machine, through phishing, a malicious download, or a compromised remote management tool, can simply read process memory. No cryptography needs to be broken. No unusual activity occurs from the browser's perspective. The credentials are already decrypted and waiting.

The risk compounds significantly in shared environments. Rønning specifically demonstrated an attacker with administrative access on a terminal server, virtual desktop infrastructure, or shared workstation can pull stored credentials from every logged-on user running Edge simultaneously. That case reflects exactly how attackers move through enterprise environments: gain a foothold, escalate privileges, harvest credentials, expand access.

What Microsoft's Response Means

Microsoft's position is that exploiting this behavior requires the device to already be compromised. That is technically accurate. But it misses the point in a way that matters for businesses. The credential theft problem is rarely about a single compromised machine in isolation. It's about what happens after that first foothold. Plaintext passwords in memory are what allow hackers to move from one compromised account to 10, from one device to the entire network. They are the mechanism by which a limited intrusion becomes a full incident.

It's also worth noting Germany's Federal Office for Information Security (BSI) didn't include the Microsoft Edge password manager in its December 2025 evaluation of 10 popular password managers. The BSI tested Chrome and Firefox password managers alongside eight dedicated tools, but Edge didn't make the cut. This finding lands in that broader context of institutional skepticism toward Edge as a credential store.

Connection to Infostealer Malware

This disclosure lands in the middle of a documented surge in infostealer malware, which is designed to do exactly what Rønning's proof-of-concept demonstrates: read credentials from browser memory and transmit them to attacker-controlled servers. According to Flashpoint's Global Threat Intelligence Index, credential theft via infostealers surged 800% in the first half of 2025, with 1.8 billion credentials stolen from 5.8 million devices. Edge's architecture makes that harvest easier, not harder. We cover the full scope of that threat in our post on why browser-stored passwords are your biggest security problem.

What Your Business Should Do

The remediation is the same regardless of which browser your team uses, but it's more urgent for Edge users. Stop storing passwords in browsers. Move all credentials to a dedicated password manager, then delete everything stored in Edge. If you need step-by-step instructions for removing saved passwords from Edge and every other major browser, see our guide on how to remove saved passwords from browsers.

For companies managing Edge across a fleet of Windows devices, group policy provides a direct path to enforcement. In the Group Policy Editor, navigate to User Configuration > Policies > Administrative Templates > Microsoft Edge > Password manager and protection and disable the "Enable saving passwords to the password manager" policy. This prevents new passwords from being saved, though previously stored credentials will remain until manually deleted. Pair the policy change with a migration to an enterprise password manager to close both gaps.

Dedicated password managers handle credentials differently by design. They encrypt the vault with keys that never leave the user's device, require explicit authentication before revealing any credential, and do not load the entire vault into memory at startup. That architecture does not eliminate risk entirely, but it removes the specific exposure this disclosure describes.

The question for any business running Edge is whether passwords currently saved in that browser are worth the exposure. Given that Microsoft has stated this is by design and offered no timeline for changing it, the answer is straightforward: they aren't. Contact STACK if you need help migrating your team to a dedicated password manager and removing credentials from browsers across your environment.