If you save your passwords in Microsoft Edge, here’s something you should know. Every time you open the browser, it decrypts all your saved passwords and loads them into memory in cleartext, where they stay for your entire session. That means your passwords are sitting unprotected in your device’s memory even if you never visit any of the sites they belong to.
Security researcher Tom Rønning discovered this behavior and reported it to Microsoft. However, the company responded by saying the behavior is by design.
Edge is the only Chromium browser that saves your password in this manner
Microsoft Edge is built on Chromium, the same open-source base that powers Google Chrome. But Chrome handles passwords very differently. It only decrypts a password at the moment it is actually needed, such as during autofill.
Chrome also uses a feature called Application-Bound Encryption, which ties the decryption keys to an authenticated Chrome process, making it significantly harder for attackers to pull passwords out of memory. But Microsoft Edge does neither.
Rønning tested multiple Chromium-based browsers and found that Edge was the only one that loaded all saved passwords into memory at startup and left them out there in cleartext.
What does Microsoft say, and should you be worried?
In a statement to CyberNews, Microsoft said the behavior exists to help users sign in quickly and that exploiting it would require an attacker to already have administrative access to the device.
Security experts broadly agree that admin-level access is effectively a full system compromise regardless of what browser you use. Even so, cybersecurity professionals warn that modern infostealer malware specifically targets the window between encrypted storage and runtime exposure, making cleartext passwords in memory a real risk.
The practical advice from security experts is consistent regardless of which browser you use. Stop storing passwords in your browser entirely and switch to a dedicated password manager instead.
