Researcher: Microsoft Edge Keeps Decrypted Saved Passwords in RAM at Startup; Microsoft Calls Behavior Expected

A security researcher published code and a video showing that when Microsoft Password Manager is enabled, Edge decrypts and retains every saved credential in the browser process memory at startup.

Researcher Tom Jøran Sønstebyseter Rønning posted a video and released detection code showing that Microsoft Edge decrypts and stores saved website passwords in plaintext inside the running browser process. The demonstration, published alongside a tool called EdgeSavedPasswordsDumper on GitHub, shows credentials present in RAM even for sites the user has not visited, and confirms the decrypted secrets appear as soon as the browser starts up.

According to the researcher’s write‑up and footage, Edge decrypts every credential at startup and keeps them resident in the browser process memory for the duration of the session. While the Microsoft Password Manager still requires the user to re‑authenticate before exposing passwords in the Password Manager UI, the underlying Edge process already holds those credentials in cleartext before any UI reveal occurs.

Microsoft acknowledged the behavior to the reporter and described it as an expected feature. In a statement, the company said the reported access would require a device to already be compromised and that “design choices in this area involve balancing performance, usability, and security.” Microsoft recommended installing the latest security updates and antivirus software to mitigate threats and said it continues to review the design against evolving threats.

The researcher’s demonstration also spells out the attacker model needed to exploit the condition: an attacker would first need to compromise a user account with administrative rights or otherwise gain access to the memory of logged‑on user processes. Under those circumstances, the plaintext passwords that Edge keeps in process memory could be read directly from RAM, making local memory access the primary prerequisite for abuse.

Rønning contrasted Edge’s behavior with other browsers. He reported that Google Chrome decrypts saved credentials only on demand rather than keeping all passwords resident in memory, and that the other Chromium‑based browsers he tested did not exhibit the same behavior because they do not use the Microsoft Password Manager. That difference highlights an implementation gap among Chromium forks and shows how a platform password manager can change in‑memory exposure characteristics.

For developers, security teams and users, the finding underscores a familiar tradeoff between sign‑in convenience and the in‑memory exposure of secrets. The issue specifically affects users who rely on Edge’s built‑in password manager: until design changes are implemented, defenders should assume credential exposure is possible on hosts that have already been compromised and treat local memory access as a critical attack vector.