A Security researcher has discovered that Microsoft Edge will load all your stored passwords into memory in plaintext at startup. This makes it easy to scrape passwords via malware, spyware, or a virus.
In 2020, Microsoft moved Edge to Chromium, the same framework that powers browsers such as Chrome, Brave, and Opera. Edge is the only Chromium-based browser that loads all stored passwords into memory in plaintext at startup, so this is not a framework issue.
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB
— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026
Cyber security researcher @L1v1ng0ffTh3L4N posted about the vulnerability on X, saying
“Edge is the only Chromium‑based browser I’ve tested that behaves this way.
When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials,” the security researcher claims. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.”
After reporting the issue to Microsoft, the security researcher was told that this behaviour was “by design.” A company spokesperson also shared a more detailed statement with Windows Central:
“Safety and security are foundational to Microsoft Edge. Access to browser data, as described in the reported scenario, would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.”
So this is a feature, not a very concerning bug, to say the least. Microsoft did this by design. In May 2024, Microsoft said security is its “Top Priority“. If you’re concerned about the security of your saved passwords in Edge, I would recommend moving all of them to a more secure password manager and using a different browser than Microsoft Edge.