A security researcher disclosed on April 29, 2026, that Microsoft Edge decrypts every stored password into process memory upon launch and keeps them in cleartext for the entire session, regardless of user activity. This finding, presented at BigBiteOfTech, raises significant concerns about credential handling in shared Windows environments. The researcher, known as @L1v1ng0ffTh3L4N, conducted a systematic analysis of major Chromium-based browsers, revealing that Edge was the only browser that kept the entire password vault in plaintext memory at startup, according to Cyber Security News.
The disclosure included a public verification tool allowing users to check if their Edge browser holds cleartext credentials. On May 4, researcher Tom Joran Sonstebyseter Ronning posted a video demonstration of the findings, which generated 5,900 replies shortly after. Microsoft responded to the disclosure, stating that this behavior is “by design.”
Edge’s password handling diverges sharply from Google Chrome’s practices. Cyber Security News highlighted that Chrome employs on-demand decryption, unlocking credentials only when necessary, and utilizes App-Bound Encryption, which binds decryption keys to an authenticated process. In contrast, Edge loads all saved credentials into plaintext from the moment it launches, exposing them to potential memory-based extraction attacks.
Despite prompting users for re-authentication before revealing passwords, the same credentials are accessible in memory, rendering such prompts ineffective against memory-based attacks. Angus Holliday, a Senior Security Operations Specialist, clarified that Microsoft’s App-Bound Encryption protects data at rest but does not safeguard memory. Microsoft’s policy documentation, updated on January 27, 2026, states that disabling App-Bound Encryption could allow unauthorized applications to access encryption keys.
This vulnerability is pronounced in shared or multi-user environments. An attacker with administrative privileges can read the memory of all logged-on user processes, leading to potential exposure of credentials from multiple users. A public proof-of-concept video demonstrated an admin account successfully extracting stored credentials from other users by accessing Edge process memory.
Microsoft acknowledges that its public documentation regarding Edge’s password manager recognizes the vulnerability of in-memory credentials but categorizes such attacks as outside the browser’s threat model. The documentation warns that local attacks or malware can access decrypted browser storage, raising concerns over the inherent risks of Edge’s design, particularly for organizations that standardize its use.
Mike Pedrick, a Chief Information Security Officer, noted that some organizations mandate Edge as the only permitted browser, prioritizing standardization over security. Cyber Security News advised that security teams operating Windows environments with Edge should consider migrating to browsers with better security practices until Microsoft modifies this design issue.
In the global browser market, Edge held a 7.018% share as of Q1 2025, ranking third behind Chrome and Safari. However, its market share is significantly higher in enterprise environments, where Edge is often the default browser on managed Windows devices, raising data handling concerns particularly within the marketing and advertising sectors.
