Microsoft Edge Keeps Decrypted Passwords in Memory, Study Reveals

A security researcher has uncovered a behavior in Microsoft Edge that could raise concerns for enterprise environments and shared systems. The browser appears to load saved credentials into memory in plaintext as soon as it starts, rather than only when needed.

What was discovered

According to Neowin, researcher Tom Jøran Sønstebyseter Rønning analyzed how Edge handles stored login data. His findings show that usernames and passwords are decrypted and loaded into RAM at browser startup, remaining there throughout the session.

This means credentials stay accessible in memory even when users are not actively logging into websites.

Proof-of-concept demonstrates the risk

To validate the behavior, the researcher released a tool called “EdgeSavedPasswordsDumper” on GitHub. The tool reads the browser’s process memory and extracts stored credentials in plaintext from the parent process.

Although intended for security testing, the tool highlights how easily sensitive data can be accessed once the system is already compromised.

Security implications

The behavior does not create a remote vulnerability by itself. An attacker must already have elevated or system-level access to read process memory and extract credentials.

However, the risk becomes more serious in environments where multiple users share the same system or where administrative access has been compromised. In such cases, stored credentials from different users could be exposed without additional authentication barriers, even though the browser still prompts users to log in normally.

How Edge compares to other browsers

Other Chromium-based browsers such as Google Chrome and Brave reportedly decrypt credentials only when required. They avoid keeping passwords persistently available in memory, which reduces exposure time.

Edge behaves differently by keeping decrypted credentials accessible during the entire session, making it stand out among similar browsers.

Microsoft response

Microsoft reviewed the findings and classified the behavior as “by design.” The company has not indicated any plans to change this approach, suggesting it aligns with internal design decisions related to performance or usability.

This discovery comes as Microsoft continues to adjust Microsoft Edge features and priorities. The company is reportedly removing parts of the sidebar to focus more on Copilot integration.

At the same time, the broader security landscape remains active. Recent reports show that CloudZ RAT can steal one-time passwords through Phone Link by accessing synced notifications on Windows systems. In a separate issue, Microsoft confirmed that its April 2026 update triggered backup problems linked to blocked kernel drivers.