Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch

A security researcher has discovered that Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites.

The finding, disclosed on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior.

Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session.

The contrast with Google Chrome is stark. Chrome implements on-demand decryption, meaning credentials are only decrypted at the moment they are needed during autofill or when a user explicitly views a saved password.

Chrome further hardens this with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing other processes from reusing those keys to access credentials.

Edge offers none of these protections. From the moment the browser opens, every saved credential across every site in the user’s vault sits in plaintext in the browser’s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory.

What makes this finding particularly contradictory is Edge’s own UI behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the browser process already holds all those credentials in plaintext, completely accessible to anyone who can query process memory.

The re-authentication gate, therefore, provides only the illusion of access control, offering no actual protection against memory-based credential extraction.

The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS) or terminal servers.

An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously.

In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users, including users with disconnected (but still active) sessions, simply by reading their Edge browser process memory.

This transforms a single admin-level compromise into a full credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK T1555.003 — Credentials from Web Browsers.

Microsoft Edge Passwords in Cleartext

When the researcher responsibly disclosed the finding to Microsoft, the company’s official response was that the behavior is “by design.”

Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, categorizing such scenarios as outside the browser’s threat model.

The April 29 disclosure at BigBiteOfTech included a small educational verification tool that allows any user to confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released to raise awareness and encourage independent validation of the behavior.

Security teams managing Windows environments with Edge deployed those operating terminal servers, VDI environments, or any shared-access systems, particularly should treat this as a high-priority configuration risk and consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision.

Free Webinar to align your endpoint security to meet new requirements – Register Now