Microsoft reiterates that it's totally fine with Edge storing passwords in cleartext, despite security researchers' concerns

Earlier this week, we reported that a researcher found Microsoft Edge saves passwords in cleartext in the memory of your machine. This means you can seemingly bypass even the likes of 2FA if you have access to someone's rig. At the time, Microsoft said this was 'by design', and it has affirmed the same statement in a correspondence with me.

I've been told, "Safety and security are foundational to Microsoft Edge. Access to browser data as described in the reported scenario would require the device to already be compromised."

This is true. Being able to get into the terminal to find the passwords on Edge does require having admin access on the machine, and that's already a severe breach of your security. However, this technique gets around many security restrictions already in place, should someone get hold of your machine, so it seems like a heightened risk for little reward.

As pointed out by the Internet Storm Center, you can actually get all that information by simply creating a dump memory file of the browser via Task Manager and using strings to search through that dump file for passwords. That means someone could get access in mere moments, with not too much technical know-how.

Tom Jøran Sønstebyseter Rønning, the researcher who drew attention to this, says that Edge is the only Chromium-based browser they've tested that behaves like this.

❗️🚨 Microsoft Edge keeps every saved password in process memory as cleartext from the moment it launches. Microsoft's responsed when reported: "by design." All of them. Including credentials for sites you won't open this session.Researcher @L1v1ng0ffTh3L4N tested every major… pic.twitter.com/AIG4EPkPjqMay 4, 2026

Microsoft tells me: "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely—this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."

The latest security updates and antivirus software will not protect from this specific problem. Though a user getting admin privilege might seem far-fetched, it's worth noting that many Windows users will simply use their standard account at an administrator level. This means that, should you leave it open in a cafe or even in an office space, one could theoretically nab any passwords on Edge in a short time.

As International Cyber Digest points out, "In shared environments, this turns into a credential harvest. On a terminal server, an attacker with admin rights can read the memory of every logged-on user process."

It's never a bad idea to brush up on your cybersecurity knowledge, but this is as good a time as any to remind you to lock down your account if you have to step away. And that's especially true if you are on Microsoft Edge.