Microsoft Defends Edge's Plaintext Password Storage as 'Expected Feature'

Summary

A security researcher discovered that Microsoft Edge stores passwords in plaintext in RAM when users enable the browser's password manager functionality. Researcher Tom Jøran Sønstebyseter Rønning created a tool called EdgeSavedPasswordsDumper to demonstrate how Edge decrypts all stored credentials at startup and keeps them resident in process memory indefinitely, even if the sites using those passwords are never visited. In response, Microsoft acknowledged the behavior but defended it as an expected design tradeoff, stating that exploitation would require an attacker to already have administrative access to a compromised device. The company emphasized that browsers need to access password data in memory to provide quick sign-in functionality. However, the research reveals that other Chromium-based browsers like Google Chrome take a more conservative approach, decrypting passwords only when needed rather than keeping all credentials in plaintext memory at all times.

• Competing browsers like Google Chrome use more secure password decryption practices that only unlock credentials on-demand

Editorial Opinion

Microsoft's acknowledgment that Edge stores plaintext passwords in RAM highlights ongoing tradeoffs between convenience and security in password management. While the company's risk assessment appears reasonable—requiring prior device compromise for exploitation—the research raises fair questions about whether a browser should accept this vulnerability when competitors like Chrome have proven alternative approaches work equally well. This incident underscores the importance of transparent security practices and why browsers should strive to exceed, not merely meet, baseline security standards.