A recent investigation by a security researcher revealed that Microsoft Edge loads its entire password vault into plaintext memory upon startup, maintaining it throughout the browsing session. Microsoft has confirmed this behavior is "by design," despite the potential security implications for users.
The researcher systematically tested major Chromium-based browsers for how they handle credentials in memory. Edge was the only one observed to decrypt and load the complete password vault into an unencrypted state within process memory immediately at launch. This decrypted data then remains accessible for the entire duration of the user's browsing session.
In contrast, other Chromium browsers, including Google Chrome, decrypt individual passwords only when specifically needed. This occurs, for instance, during an autofill operation or when a user actively requests to view a stored password. These competing browsers also integrate mechanisms like app-bound encryption for cryptographic keys, adding an extra layer of protection. These specific protections are not present in Edge's current implementation for managing its password vault in memory.
To demonstrate the practical implications of this design choice, the security researcher developed a proof-of-concept. This PoC illustrated that accessing the decrypted vault requires no advanced zero-day exploits or complex software vulnerabilities. Instead, it relies on the relatively straightforward ability to read an application's process memory, a capability that typically requires elevated system privileges on the user's machine.
Microsoft's official response to the reported issue confirmed the behavior, stating it is "by design." The company's justification likely centers on optimizing user experience, such as achieving faster sign-in times and more responsive autofill functionalities. Microsoft considers the prerequisite of an already compromised machine or an attacker possessing elevated access to read RAM as outside the scope of this particular design decision, effectively shifting the boundary of their security model.
An attacker needs a significant level of access to the target machine for this method to succeed. This includes, for example, the ability to execute code on the system and the necessary permissions to read Edge's specific process memory space. Such access often necessitates administrative or other elevated privileges. This is not a remote, unauthenticated bug that allows direct browser compromise from afar.
However, Edge's architecture significantly eases post-compromise credential harvesting once an initial breach has occurred. If an attacker has already gained control of the system, the plaintext vault provides a direct route to all stored passwords. Many prevalent information-stealing malware programs already incorporate the functionality to read process memory. This design choice simply presents another, more accessible, target for attackers to exploit credentials from an already compromised system, streamlining the exfiltration process.
A separate academic study published in 2024 independently identified that various password managers, not just Edge, can inadvertently leak plaintext passwords into memory under certain operational conditions. This broader finding reinforces a general caution regarding the trade-offs involved in using any browser-integrated password manager.
While browser password managers offer undeniable convenience through seamless integration and automated credential management, this ease of use often comes with a tangible security cost. Users must carefully evaluate these benefits against the inherent risks when determining where to securely store their sensitive login credentials. Security experts consistently advise against storing critical data, such as banking details, credit card numbers, or sensitive personally identifiable information like medical records, within any browser's password manager.
Implementing multi-factor authentication (MFA) wherever available is a crucial defense. MFA substantially reduces the risk of account compromise, even if an attacker manages to obtain a password. For users who choose to rely on a built-in password manager, the design specifics suggest that Microsoft Edge appears to be the least secure option among major browsers due to its persistent plaintext storage in memory.
The "by design" decision by Microsoft means users of Edge face a heightened risk of credential exposure if their system is already compromised, a risk not observed to the same degree in other major Chromium browsers.