Microsoft Edge stores saved passwords in plaintext memory, researcher warns
07 May 2026
Microsoft Edge, the tech giant's web browser, has been flagged for a major security flaw.
The issue was highlighted by security researcher Tom Joran Sonstebyseter Ronning, who found that the browser loads stored passwords in plaintext in a computer's RAM.
This could potentially allow malware to access these login credentials.
Ronning demonstrated this vulnerability using a simple tool and command prompt with administrator privileges.
Microsoft defends password storage method
Company response
In response to the security concern, Microsoft defended its method of storing passwords in Edge.
The company said that the potential threat only exists if a hacker has gained control over a user's PC, possibly through malware.
"Access to browser data as described in the reported scenario would require the device to already be compromised," Microsoft said in a statement.
Ronning highlights differences with Google Chrome
Security concerns
Ronning has raised concerns over Microsoft's approach to password decryption in Edge.
He noted that unlike Google Chrome, which decrypts saved credentials only when needed, Edge keeps all passwords in memory at all times.
"In contrast, Chrome will only decrypt the credential you need for autofill, when you need it, and it will be removed after," he said.
Microsoft says approach balances performance and security
User experience
Microsoft has also highlighted that its method of loading stored passwords in Edge can enhance user experience.
"Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats," the company said.
"Browsers access password data in memory to help users sign in quickly and securely—this is an expected feature of the application."
Controversy sparks debate on password security measures
Ongoing debate
The controversy surrounding Edge's password storage security has sparked a debate.
Some argue that the risk is exaggerated as it requires compromised admin access to a PC or server, which would expose the victim to other attacks too.
However, others have questioned why Microsoft doesn't adopt stronger security measures for password storage.
-
New Strictly host 'named' as fan-favourite Emma Willis 'to replace' Tess and Claudia
-
Sarah Ferguson 'phoned ex-husband' Andrew Mountbatten-Windsor to reveal major news
-
Unique Temple in Chhattisgarh Attracts Bears for Daily Worship
-
Paloma Faith sparks BAFTA fury as BBC viewers slam 'inconsiderate' move
-
Surge in US Military Flights Near Cuba Raises Concerns
