Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk

Edge’s approach to credential handling reflects a trade‑off between user convenience and security. By decrypting every stored password at launch and keeping it resident in process memory, the browser can autofill forms instantly, but it also creates a broad attack surface. An administrator‑level attacker who can access a user’s session—common in shared desktops, virtual desktop infrastructure, or Citrix deployments—can dump the entire password vault without the user ever opening a site, turning a single foothold into a massive credential leak.

In contrast, Chrome, Brave, and other Chromium‑based browsers have adopted app‑bound encryption (ABE), which ties decryption keys to a specific browser process. This design ensures passwords are only decrypted on demand, typically during autofill, and remain encrypted in memory otherwise. The ABE model dramatically reduces the effectiveness of memory‑scraping attacks, as malicious processes cannot reuse the decryption keys. Edge’s decision to forgo ABE, citing performance and usability, leaves it uniquely vulnerable among its peers, highlighting how subtle implementation choices can have outsized security implications.

Enterprises can mitigate the risk by enforcing group‑policy settings that disable Edge’s password‑saving feature, redirecting users to managed password‑manager solutions that enforce strong access controls and audit trails. Limiting local admin privileges, monitoring for anomalous memory‑access patterns, and segmenting high‑risk workloads—such as shared terminals and VDI sessions—further reduce exposure. As browsers continue to serve as de‑facto credential stores, organizations must balance convenience with hardened configurations to protect against credential‑theft vectors that can cascade into broader breaches.