Edge Browser Leaves Passwords Exposed in Plain Text, Says Researcher

Edge’s built‑in password manager was designed for convenience, automatically decrypting stored credentials each time the browser starts. Norwegian researcher Tom Jøran Sønstebyseter Rønning demonstrated that these passwords remain in clear text within the Edge process memory, even after the user has closed the site. He released a lightweight GitHub utility that extracts the plaintext values, confirming the issue across multiple Windows installations. Microsoft’s official response frames the behavior as a performance‑security trade‑off, arguing that memory access is required for rapid sign‑ins.

For enterprises, the flaw turns any shared or lightly managed workstation into a credential vault that malware can harvest with minimal effort. Because the passwords are exposed in RAM, a low‑level key‑logger or a malicious browser extension can read them without needing to break encryption. Competing browsers such as Google Chrome have adopted App‑Bound Encryption, which encrypts saved passwords and prevents them from being stored in plaintext memory. While Chrome’s scheme has been breached in the past, it still raises the technical bar far above Edge’s current implementation.

Microsoft’s dismissal that the issue only matters on already compromised devices does little to reassure risk‑averse IT teams. Security experts argue that exposing passwords in memory is a “blank check” for attackers, especially in environments where devices are shared or not fully patched. Organizations should consider dedicated password‑manager solutions that store credentials in encrypted vaults, or enforce strict browser hardening policies. As the browser market continues to prioritize speed over security, pressure from enterprise customers may force Microsoft to adopt stronger in‑memory encryption similar to Chrome’s approach.