Microsoft has reversed course on a security design decision that quietly affected nearly every Windows PC running Edge. After initially telling a researcher the behavior was "by design," the company confirmed on May 18 that Edge will stop loading your entire saved-password vault into plaintext memory at browser startup. The fix ships in Edge version 148, and it matters to anyone who has ever clicked "Save password" in the browser that comes preinstalled on Windows.
What the researcher found
Norwegian security researcher Tom Jøran Sønstebyseter Rønning tested how major Chromium-based browsers handle saved credentials and discovered something unusual about Edge. He found that Edge was the only one loading the entire password vault into plaintext process memory at startup, where it remains for the duration of the session. Chrome and other Chromium browsers were observed to only decrypt a password when needed (autofill or "show password"), not the whole vault, and to use mechanisms like app-bound encryption for keys — Edge does not use those protections in this context.
On startup, the browser loads all saved passwords into memory and keeps them in cleartext for the entire duration of the session — even if you never visit a site that uses those credentials. That means a single saved Amazon or bank password sits decrypted in RAM from the moment Edge opens until you close it, whether or not you ever use it that session.
Microsoft first said it was "by design" — then backtracked
When the researcher reported the issue, Microsoft initially defended the behavior. A spokesperson said "Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely - this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
That position changed this week. Microsoft Edge Security Lead Gareth Evans said Microsoft is now taking a broader view and has committed to changing Edge so that saved passwords are no longer loaded into memory on startup as clear text. Going forward, Edge will no longer load all saved passwords into memory at browser startup — instead, passwords will be decrypted only when needed for autofill or password management operations, and the change is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer across Stable, Beta, Dev, Canary, and Extended Stable).
How dangerous is this in practice?
This is not a remote, click-a-link-and-get-hacked bug. An attacker already needs significant foothold — for example, code execution on the box and the ability to read Edge's process memory, often requiring elevated privileges. This is not a remote, unauthenticated bug in the browser, but the design makes post-compromise credential harvesting easier. And it's a capability many infostealers already have.
In plain English: if malware is already running on your PC, this design hands it your saved passwords on a silver platter. That's exactly the scenario we see when customers bring in machines for malware and infostealer cleanup — by the time the infection is caught, browser-stored credentials are usually already gone. The researcher also warned that an attacker with administrative access on a terminal server can access memory of all logged-on user processes, and the proof of concept demonstrates that hackers could access user passwords of other users even while Edge is running.
What to do right now
Three concrete steps:
1. **Update Edge.** Open Edge, click the three-dot menu, go to Help and feedback → About Microsoft Edge. Make sure you're on version 148 or newer. The fix is rolling out across Stable, Beta, Dev, Canary, and Extended Stable channels.
2. **Reconsider browser-stored passwords for anything important.** Your browser password manager gives you ease of use, but that costs you some security — password managers aren't foolproof either, so it's important to decide for yourself where you store your passwords. For banking, email, and work logins, a dedicated password manager (Bitwarden, 1Password, etc.) plus multi-factor authentication is the safer setup.
3. **If your PC has been acting strange — pop-ups, slow performance, weird logins on your accounts — get it checked.** Infostealer malware specifically targets browser credential stores, and a compromised machine that needs a full diagnostic and cleanup is far more common than people realize.
What This Means for York, PA
If you're in York County and use Edge as your everyday browser — which most Windows 10 and 11 users do by default — update it this week and assume any password you've ever saved in it could already be exposed if your machine has had a malware scare. If you suspect an infection or want a security checkup, York Computer Repair on Carlisle Road can scan the machine and help you reset what needs resetting.
Sources
- Microsoft is changing Edge's plaintext password behavior — Malwarebytes
- Microsoft backtracks on Edge storing your passwords in plaintext RAM — PCWorld
- Microsoft is changing Edge's plaintext password behavior — Security Boulevard
- Microsoft Edge writes passwords to memory in cleartext — Cybernews
- Microsoft Edge will load all your passwords into memory in plaintext — Windows Central