Microsoft Edge stores your passwords in plaintext RAM… on purpose

KSR

Summary created by Smart Answers AI

Table of Contents

Toggle

In summary:

PCWorld reports that Microsoft Edge’s password manager stores all user passwords in plaintext RAM, creating a serious security vulnerability that allows local attackers to easily access credentials.
Norwegian security researcher Tom Jøran Sønstebyseter Rønning discovered this flaw, which Microsoft confirms is a deliberate design decision rather than an accidental oversight.
Users should immediately migrate their passwords from Edge to dedicated password managers, as authentication protection offers little defense against RAM access attacks.

If you tend to save your passwords in your browser, you need to be more careful. A security researcher from Norway has uncovered a serious vulnerability in Microsoft Edge that shows passwords are stored in memory as plaintext, as shown in this social media post.

Any malicious user with local access could easily intercept all your stored passwords, even if they haven’t been used at all during a given session. Attackers could simply retrieve and copy them in plaintext. In a video, Tom Jøran Sønstebyseter Rønning demonstrates it in action:

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB

— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026

Serious flaw in Edge’s password manager

The vulnerability affects Microsoft Edge’s password manager. Password managers typically use end-to-end encryption and store passwords in cloud storage so that users can access them from anywhere. When passwords are needed, password managers normally decrypt the them for use and then delete them afterwards.

The fact that Edge keeps all passwords loaded without any encryption is both unusual and dangerous. Other password managers, including those that are built into browsers, don’t operate in this way—Rønning says Edge is the only Chromium-based browser he’s tested with this behavior.

Edge does require authentication to view passwords in the password manager, but this is of little protective value if attackers can simply gain access by reading the RAM, which is what happens here.

Is this intentional or a bug?

Rønning apparently shared his findings with Microsoft and received an unexpected response. According to ITavisen (machine translated), Edge’s password management behavior is “a deliberate design decision, “not a bug.” It’s unclear what benefit this design offers for users.

Rønning decided to warn users about how it works anyway, and also plans to publish his own tool on GitHub, which any user can use to check whether their Edge passwords are stored in plaintext.

If you use Edge and have passwords stored in the browser, you should migrate to another password manager that’s actually secure, then delete all your passwords from Edge. If you don’t know where to start, check out PCWorld’s picks for the best password managers.

This article originally appeared on our sister publication PC-WELT and was translated and localized from German.