Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Microsoft Edge stores your passwords in plaintext in RAM.
- This behavior occurs if you use Edge as your password manager.
- Microsoft says that this behavior is a feature, not a bug.
Do you use Microsoft Edge to save and manage your website passwords? If so, a new finding raises questions about the safety and security of your stored passwords.
A security researcher found that Edge stores your plaintext passwords in memory when you use the browser to manage them. In a social media post, researcher Tom Jøran Sønstebyseter Rønning explained how the process works and posted a video showing it in action.
Also: Trojan abuses Microsoft Phone Link app to steal your passwords
“When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory,” Rønning said. “This happens even if you never visit a site that uses those credentials. At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.”
Microsoft calls behavior an expected feature
On GitHub, Rønning posted the code he created to detect this behavior. Dubbed EdgeSavedPasswordsDumper, the code demonstrates that any credentials stored by someone using the Microsoft Password Manager in Edge are saved in plaintext in the Edge process memory.
In a statement shared with ZDNET, Microsoft acknowledged this behavior but said that it’s an expected feature and would pose a risk only if your device was already compromised.
“Access to browser data as described in the reported scenario would require the device to already be compromised,” a Microsoft spokesperson said in the statement. “Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”
Also: It’s possible to switch password managers without losing a single login – and I’m proof
Microsoft’s claim that your device would already need to be compromised appears to ring true, at least based on Rønning’s testing. As shown in a video, the process is predicated on an attacker having already compromised a user account with administrative rights, which would then give them access to the memory of all logged‑on user processes, with the plaintext passwords viewable.
Rønning said that Edge is the only Chromium‑based browser he’s tested that acts this way. In contrast, Google Chrome decrypts credentials only when needed rather than keeping all passwords in memory at all times. Chrome’s design makes it far more difficult for an attacker to extract saved passwords by simply reading the device’s memory, Rønning added. So far, this weakness appears to be specific to the Microsoft Password Manager used in Edge.
“Despite Edge being Chromium-based, none of the other Chromium-based browsers I have tested are using Microsoft Password Manager to store passwords and autofill data,” said Rønning. “And I doubt that’s based on Chromium?”
Also: These 5 critical Windows Defender settings are off by default – turn them on ASAP
If Google can better secure its browser from exposing plaintext passwords in memory, then shouldn’t Microsoft be able to do the same? In response to Rønning’s post, another person said that the credentials could be stored in memory in an encrypted format. They would be decrypted only when required to sign in to a website and then immediately wiped thereafter.
“From a defensive perspective, storing passwords in clear-text memory violates the principles of least privilege, zero trust, and secure application design,” Morey Haber, chief security advisor at security provider BeyondTrust, told ZDNET. “It is simply just a bad idea. If a password can be read in memory by a human or malicious process, it is no longer a protected secret. It is already compromised in principle through clear-text storage in an already insecure medium.”
Pitfalls of using your browser’s built-in password manager
Unless Microsoft decides to change the way its password manager works, what can you do if you use Edge as your default browser to manage your passwords?
My advice would be to switch to a dedicated third-party password manager. Yes, using your browser’s built-in password manager seems quick and convenient. But there are some pitfalls beyond this latest one.
If someone gains access to your PC or mobile device via your password, PIN, or passcode, they could launch your browser and use the same method to view your passwords. I’ve tried this on a Windows PC using just my PIN and was able to access plaintext passwords in Edge. A good third-party password manager requires stronger authentication to view your passwords.
Also: The best password managers: Expert tested
A built-in password manager works just with that specific browser. You can use Edge as your default, but you might sometimes turn to Chrome or Firefox. In that case, your stored passwords wouldn’t be available. I use Firefox, Chrome, and Edge both personally and professionally, so my passwords need to be accessible across all three.
Hopefully, Microsoft will see this as a security flaw and adopt the same method used in Chrome and other browsers to decrypt passwords only when needed. Until then, I’d advise against using Edge as your password manager.
