Microsoft Edge changes password handling

Microsoft said this week it will change how Edge handles saved passwords after criticism from a security researcher who found the browser decrypted credentials into memory at startup. The company told BleepingComputer on May 15 that future versions of Edge will no longer load saved passwords into process memory in clear text when the browser starts. (bleepingcomputer.com) The change follows a May 4 disclosure by researcher Tom Jøran Sønstebyseter Rønning, who said all credentials stored in Edge’s built-in password manager were decrypted on launch and kept in memory even when not in use. Microsoft had previously described that behavior as expected under its threat model. ### What exactly did Microsoft say it is changing? Microsoft told BleepingComputer on May 15 that future Edge versions will no longer load saved passwords into memory on startup, even though the company said the reported scenario fell within its existing threat model. (support.microsoft.com) Gareth Evans, Microsoft Edge Security Lead, said the company was making a “defense-in-depth” change and was prioritizing the rollout across supported releases. Build 148 and newer are the target for the broader update, according to BleepingComputer’s report on Microsoft’s statement. The outlet said the fix is already live in the Canary channel and will come to Stable, Beta, Dev, Canary and Extended Stable releases. (bleepingcomputer.com) ### What was the researcher’s complaint about Edge’s current behavior? Tom Jøran Sønstebyseter Rønning said on May 4 that Edge decrypted every saved credential at launch and kept those passwords resident in process memory, even if the user never visited the related site. BleepingComputer reported that he also published a proof-of-concept tool showing how an attacker with administrator privileges could dump passwords from other users’ Edge processes. (bleepingcomputer.com) Microsoft’s own documentation says Edge stores passwords encrypted on disk using AES, with the encryption key kept in an operating-system storage area such as DPAPI on Windows or Keychain on Apple platforms. The same Microsoft Learn page says malware or code running as the signed-in user can gain decrypted access to browser storage areas, and describes that class of attack as outside the browser’s threat model. (bleepingcomputer.com) ### Why did Microsoft previously say the behavior was “by design”? Microsoft’s published security guidance says browsers are not designed to defend against a device that is already compromised by malware running as the user. The company says local encryption is intended to protect passwords at rest and that once malicious code is running under the user’s account, it can generally do what the user can do. (bleepingcomputer.com) BleepingComputer reported that Microsoft initially told the researcher the memory behavior was “by design” and later told the outlet it remained within the expected threat model. Evans said the company was now taking “a broader view” in line with customer feedback and its Secure Future Initiative, and called reducing password exposure in memory a practical defense-in-depth step. (learn.microsoft.com) ### Does this affect other Edge password protections already in place? Microsoft Support says Edge already offers device-based authentication before viewing or filling saved passwords, using options such as Windows Hello, Touch ID or the device sign-in password. The support page says users can enable prompts for device sign-in before viewing or autofilling website passwords. (learn.microsoft.com) March 5, 2026, was the date Microsoft stopped offering the Custom Primary Password option to new users, according to that same support page. Microsoft says existing users who had enabled the feature will be moved to device-based authentication if they do not switch on their own. (bleepingcomputer.com) ### When will users see the change in released versions of Edge? Microsoft’s stable release notes show Edge 148 was already shipping in May 2026, with versions 148.0.3967.54 on May 7 and 148.0.3967.70 on May 15. The release notes page does not yet describe the password-memory change, but BleepingComputer said Microsoft plans to include the fix in the next update for supported releases starting with build 148 and newer. (support.microsoft.com) June 4, 2026, is the next dated password-management milestone Microsoft has published. On that date, Microsoft says Edge will fully remove Custom Primary Password for opted-in users and automatically switch remaining users to device-based authentication. (learn.microsoft.com) (support.microsoft.com)