Microsoft Edge Exposes Saved Passwords in Memory at Launch

A security researcher has revealed that Microsoft Edge decrypts every stored password into process memory the moment the browser launches, holding them in cleartext for the entire session , regardless of whether the user ever visits those sites.

The discovery, made public on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, came from researcher @L1v1ng0ffTh3L4N, who methodically tested every major Chromium-based browser for how they handle credentials in memory. Edge was the only browser found to load the entire password vault into plaintext process memory at startup and retain it until the session ends.

The contrast with Google Chrome is sharp. Chrome uses on-demand decryption, meaning credentials are only decrypted when needed , during autofill or when a user explicitly views a saved password. Chrome also adds App-Bound Encryption, which cryptographically ties decryption keys to an authenticated Chrome process, blocking other processes from reusing those keys to access credentials.

Edge provides none of these protections. From the moment the browser opens, every saved credential across every site in the user’s vault sits exposed in plaintext in the browser’s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory.

What makes this finding especially contradictory is Edge’s own user interface behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface. Yet the browser process already holds all those credentials in plaintext, fully accessible to anyone who can query process memory. The re-authentication gate, therefore, offers only the illusion of access control , it provides no actual protection against memory-based credential extraction.

The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS) or terminal servers. An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously.

In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users , including users with disconnected but still active sessions , simply by reading their Edge browser process memory.

Microsoft Edge loads all your saved passwords into memory in cleartext , even when you’re not using them. pic.twitter.com/ci0ZLEYFLB , Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026

This turns a single admin-level compromise into a full credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK T1555.003 , Credentials from Web Browsers.

When the researcher responsibly disclosed the finding to Microsoft, the company’s official response was that the behavior is “by design.” Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, categorizing such scenarios as outside the browser’s threat model.

The April 29 disclosure at BigBiteOfTech included a small educational verification tool that lets any user confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released to raise awareness and encourage independent validation of the behavior.

Security teams managing Windows environments with Edge deployed on terminal servers, VDI environments, or any shared-access systems should treat this as a high-priority configuration risk. Consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision.