Microsoft confirms Edge decrypts saved passwords into memory at startup, researcher says

Micrososources has confirmed that its Edge browser decrypts users’ saved passwords into system memory at startup and keeps them in plaintext “by design,” according to security researcher Tom Jøran Sønstebyseter Rønning.

Rønning said Edge loads saved credentials into the browser process’s memory even if a user does not visit any site that uses those passwords during the session. He published a proof of concept suggesting that an attacker who already has administrative access on a device could read Edge’s process memory and extract stored credentials.

How Edge compares with Google Chrome

Rønning contrasted Edge’s behavior with Google Chrome, saying Chrome decrypts credentials only when they are needed.

He also pointed to Chrome’s use of App‑Bound Encryption, which is designed to bind decryption to an authenticated Chrome process and make it harder for other processes to reuse Chrome’s encryption keys.

Threat model and potential impact

Micrososources’s position, as described by the researcher, is that exploitation would require administrative access—an access level the company treats as outside its threat model for protecting encrypted data.

Rønning argued that keeping decrypted passwords resident in memory could increase the potential impact if a system is already compromised.

He added that other Chromium-based browsers he tested did not show the same behavior of loading all saved passwords into memory at startup.