Microsoft Edge will load all your passwords into memory in plaintext, but Microsoft says it’s not a security concern

Microsoft Edge has been discovered to be storing all passwords in plaintext when loaded in memory upon startup, making the passwords much easier to read and scrape by malware or hackers. Cyber security researcher @L1v1ng0ffTh3L4N posted about the exploit on X, and says “Edge is the only Chromium‑based browser I’ve tested that behaves this way.”

“When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials,” the security researcher claims. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.”

Microsoft Edge is based on Chromium, the same foundation that powers a number of other browsers such as Chrome, Brave, and Opera. However, it seems Edge is the only Chromium browser that loads all stored passwords into memory using plaintext at startup. Chrome, for example, will only load passwords into memory with plaintext when the user requests to see the password in the password manager or autofill menu.

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB May 4, 2026

We reached out to Microsoft for comment, and a spokesperson issued the following statement:

“Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”

That means Microsoft is aware of this behavior, and doesn’t view it to be much of a problem. In fact, it sounds like Edge loading all passwords into memory using plaintext is by design, as it speeds up the sign-in and authentication process for the end user.

Instead of addressing this behavior, Microsoft is recommending that users ensure their PCs remain up to date with the latest security patches to help protect against installing malware that might exploit this design in Microsoft’s browser.

Ulitimatly, it’s clear that Microsoft isn’t overly concerned about this potential issue, at least for now. While other browsers will only load passwords into memory using plaintext when requested, Edge will seemingly continue to load all passwords into memory in plaintext upon startup.

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.

Source link