Microsoft Edge Password Security: Plaintext RAM Storage Exposed

If you rely on your browser to store passwords, recent findings about Microsoft Edge should give you pause. A security researcher discovered that Edge keeps all saved passwords in plaintext within its memory, even when you're not actively using them. This raises serious concerns about local security and the design choices of Microsoft's Chromium-based browser. Below, we explore the details of this vulnerability, how it compares to other password managers, and what steps you can take to protect your credentials.

What is the security vulnerability discovered in Microsoft Edge?

Security researcher Tom Jøran Sønstebyseter Rønning uncovered a critical flaw in Microsoft Edge's password manager. When you save passwords in Edge, the browser loads all of them into memory in cleartext — meaning no encryption is applied while they reside in RAM. This includes passwords that have never been used during the current session. As demonstrated in a video shared on social media, any attacker with local access to your system can retrieve these passwords simply by reading the memory. Unlike typical password managers that decrypt passwords on demand and then discard them, Edge keeps them persistently exposed in plaintext, making interception trivial for malicious users.

How does Microsoft Edge's password manager differ from other browsers?

Most browser-based password managers, including those in Chrome and Firefox, use encryption to protect stored passwords. When you need to autofill a credential, the manager decrypts it temporarily in memory and then wipes that data after use. However, Edge behaves differently: it loads all saved passwords into RAM without any encryption layer and retains them there indefinitely. Researcher Rønning tested multiple Chromium-based browsers and found that Edge was the only one exhibiting this behavior. This means that even if you haven't logged into any site during a session, your entire password vault remains accessible to anyone who can read your computer's memory.

Is this password storage behavior a bug or intentional?

After reporting the issue to Microsoft, Rønning received an unexpected response. According to ITavisen (machine translated), the company stated that this is “a deliberate design decision,” not a bug. The specific reasoning behind this choice remains unclear, as no apparent benefit to users has been identified. Storing passwords in plaintext RAM offers no performance advantage for autofill or syncing compared to encrypted storage. This design actually violates standard security practices, making it a puzzling decision. Regardless, Microsoft has confirmed that the behavior is intentional and will not be changed as a bug fix.

What can an attacker do with this vulnerability?

An attacker with local access to your machine can exploit this vulnerability with ease. They do not need your password or any special privileges beyond basic user-level access. By reading the memory allocated to Microsoft Edge, they can extract all stored credentials in plaintext. This includes usernames and passwords for any website you have saved. The attack is especially dangerous on shared or compromised computers, where malicious software or another user can silently dump Edge's memory. Even if you have not visited any sites in the current session, the passwords remain loaded and vulnerable. In his demonstration, Rønning showed how a simple memory scan reveals the entire password list without any authentication.

How does Edge's authentication for viewing passwords compare to the RAM exposure?

Microsoft Edge does require authentication — such as your system password or Windows Hello — when you attempt to view saved passwords within the browser's settings. However, this security measure only protects the graphical user interface. Since the passwords are already loaded in plaintext in RAM, an attacker can bypass the authentication step entirely by reading memory directly. This means the authentication check provides no real security against local attacks. It gives users a false sense of safety, as the actual vulnerability — the plaintext storage in RAM — remains accessible. The authentication is essentially a “lock on the front door” while the “back door” is wide open.

What steps should Edge users take to protect themselves?

Given this vulnerability, the safest course of action is to stop using Edge's built-in password manager immediately. First, migrate your saved passwords to a dedicated, secure password manager such as 1Password, Bitwarden, or KeePass. These services use end-to-end encryption and never store credentials in plaintext. After transferring your passwords, delete all saved passwords from Edge. You can do this by going to Edge settings, selecting “Passwords,” and removing each entry. Then, disable password saving in Edge entirely. For a list of recommended options, refer to PCWorld's picks for the best password managers. Additionally, consider using a password manager that integrates with your browser but operates independently of its memory management.

What did the security researcher do after Microsoft's response?

After being told that the plaintext storage was intentional, Rønning decided to publicly warn users about the risk. He also announced plans to publish his own tool on GitHub that allows anyone to check whether their Edge passwords are stored in plaintext. This tool will enable users to verify the vulnerability on their own systems, raising awareness and pushing for change. Although Microsoft did not treat this as a security bug, Rønning's disclosure has prompted many to reconsider the safety of Edge's password management. His actions highlight the importance of independent security research and user vigilance in the face of corporate design choices that prioritize convenience over protection.