- Microsoft Edge decrypts and loads all saved passwords into memory at startup on Windows 11.
- The passwords remain in plaintext in memory during the browsing session.
- Attackers with system access can potentially extract credentials without breaking encryption.
- Microsoft says the behavior is expected and requires a compromised device to exploit.
Microsoft Edge is (once again) under scrutiny after a security researcher showed that the browser loads saved passwords into memory in plaintext on Windows 11. The finding recently surfaced through independent testing and public disclosure, and Microsoft has confirmed the behavior is by design.
A researcher finds Edge exposing passwords in memory
A cybersecurity researcher demonstrated that Microsoft Edge decrypts and loads all stored credentials into system memory when the browser starts. This happens even if you do not visit a website that requires those passwords.
The issue affects users running Edge on Windows 11. According to the findings, any attacker or malware with sufficient access to the system could read that memory and extract credentials in plain text. Other Chromium-based browsers, including Google Chrome, typically only decrypt passwords when the user actively requests them, such as during autofill or when viewing saved entries.
However, this behavior isn’t entirely new. In 2022, another research company revealed that the Chromium browser was also extracting credentials in memory in clear text.
Microsoft acknowledged the behavior and stated that access to this data would require the device to already be compromised:
Access to browser data as described in the reported scenario would require the device to already be compromised. […] Browsers access password data in memory to help users sign in quickly and securely – this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats.
In practical terms, the company is placing the responsibility for keeping Windows 11 secure on users. That includes installing updates, avoiding malicious downloads, and using security software.
Why this behavior raises concerns
This design makes it easier for attackers to access the data once they gain access to a system. If malware reaches the point where it can inspect process memory, it does not need to break encryption or wait for user interaction. The passwords are already available.
For everyday users, the concern is not that the browser exposes passwords remotely. The concern is what happens after a device is infected. At that point, sensitive data becomes easier to collect compared to other browsers that limit when credentials are decrypted.
Security experts generally prefer minimizing the time-sensitive data spends in memory and reducing unnecessary exposure. The browser takes a different approach, favoring convenience and performance.
How Edge handles passwords internally
When you launch Microsoft Edge, the browser initializes your profile and immediately pulls stored credentials from its local database. Instead of waiting for you to interact with a login field, it decrypts those passwords right away and keeps them available in active memory for the duration of the session.
This behavior improves speed. Autofill and sign-ins feel instant because the data is already prepared. The trade-off is that sensitive information remains exposed in memory longer than necessary, which increases the risk if something manages to access that memory space.
Pureinfotech’s Take
In my opinion, this is a flawed design, even if the company insists it’s expected behavior. The process of loading passwords into memory up front feels like a shortcut that leans too heavily on performance and not enough on security.
For most people, nothing changes on a daily basis. If your computer is clean, your passwords are not suddenly leaking. However, that framing misses the point because security is about reducing risk at every layer, not just relying on the system staying uncompromised. Once something gets in, this kind of behavior worsens the damage.
Personally, I would be cautious about relying solely on Microsoft Edge’s built-in password manager right now. Not because it’s broken, but because it is doing more in the background than it needs to. Other browsers have shown that you can balance speed and limit when sensitive data is exposed. Edge is choosing convenience first.
I have seen the software giant revisit decisions like this before, especially when enough attention builds around them. If that happens here, I would expect a more selective approach to how credentials are handled in memory. Until then, this is one of those cases where the trade-off is clear, and users should decide if they are comfortable with it.
Do you trust Microsoft Edge’s password manager after this discovery?
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].
Why did you pick that answer? I'd love to hear more. Let me know in the comments.
💬 Write a response