A security researcher disclosed that Microsoft Edge decrypts every stored password into process memory upon browser launch, retaining them in cleartext for the entire session, irrespective of whether users visit the associated sites. The researcher, known as @L1v1ng0ffTh3L4N, presented the finding at BigBiteOfTech and confirmed through testing that Edge is unique among major Chromium-based browsers for this behavior.
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
At the event, presented by PaloAltoNtwks Norway, the researcher also showcased a public verification tool allowing users to check for cleartext credentials in Edge’s process memory. Following this, a video demonstration aired on May 4, 2026, accumulating nearly 6,000 replies across social media platforms.
Microsoft’s response indicated the handling behavior is “by design.” The contrast with Google Chrome is stark; Chrome decrypts credentials only when needed using on-demand decryption and App-Bound Encryption, which ties decryption keys to an authenticated browser process to prevent unauthorized access.
Edge lacks these protections, which means that every saved credential becomes vulnerable as it remains exposed in plaintext from launch. Notably, the browser prompts users for re-authentication before revealing passwords, yet all credentials are still visible in memory, undermining the effectiveness of this security measure.
Angus Holliday, a Senior Security Operations Specialist, pointed out that the App-Bound Encryption policy does not secure data in memory, only the encryption keys for data stored locally. Microsoft’s documentation acknowledges that local attacks and malware vulnerabilities fall outside the browser’s threat model.
Shared or multi-user environments are particularly at risk, where administrative privileges enable an attacker to access the memory of all logged-in users. A proof-of-concept demonstrated how an admin account could extract stored credentials from other users’ Edge process memory, raising significant organizational security concerns.
Many industry professionals criticized Microsoft’s approach on platforms like LinkedIn, arguing for stronger protective measures against local attacks. Existing documentation indicates that Microsoft Edge cannot safeguard against threats compromising the entire device.
Organizations that exclusively use Edge face heightened configuration risks due to this intentional design choice rather than a fixable flaw. These concerns are amplified for enterprises involved with terminal server deployments, VDI, and shared-access systems.
