Overview
- Microsoft reiterated Thursday that Edge keeping saved passwords in readable RAM is a deliberate design choice, saying the data would be exposed only on already compromised devices.
- Norwegian researcher Tom Jøran Sønstebyseter Rønning reported that Edge decrypts every stored credential at startup and keeps them in process memory, a behavior he did not find in Chrome, Brave, Vivaldi, or Opera.
- A public proof‑of‑concept on GitHub and follow‑up tests show that memory dumps of an open Edge session can reveal passwords in cleartext, raising the payoff for common memory‑scraping tactics.
- Exploitation typically requires administrative access or a hijacked session, which is especially risky on terminal servers, virtual desktops, and other shared Windows environments where one compromise can expose many users’ logins.
- Security experts advise turning off Edge’s built‑in password storage, moving credentials to a dedicated password manager, rotating high‑risk passwords, and enabling two‑factor authentication or passkeys, with no Edge fix announced so far.