Microsoft Edge stops plain-text passwords

Microsoft said it is changing how Edge handles saved credentials after a security researcher disclosed that the browser loaded all stored passwords into process memory in readable form at startup. The company had previously described that behavior as part of Edge’s existing design, saying an attacker would already need a compromised device or elevated access to exploit it. On May 15, Microsoft said future Edge releases would no longer load saved passwords into memory on startup and that the fix was already live in Canary builds. The change is due in Edge build 148 and newer across supported release channels. ### What exactly was Edge doing before Microsoft changed course? Tom Jøran Sønstebyseter Rønning, a security researcher, said on May 4 that Edge decrypted every password saved in its built-in password manager when the browser launched and kept those credentials in memory even if the user never visited the related sites during that session. He said Edge was the only Chromium-based browser he tested that behaved that way. (bleepingcomputer.com) Malwarebytes reported on May 8 that Chrome and other Chromium-based browsers observed by the researcher decrypted passwords only when needed, such as for autofill or password display, rather than loading the entire vault into plaintext memory at startup. That difference became the center of the criticism directed at Edge after the disclosure. (bleepingcomputer.com) ### Why did security researchers object if Microsoft said the device was already compromised? Microsoft’s earlier position was that reading those passwords from memory required the device to be compromised already, often with elevated privileges, and that such attacks were outside the browser’s threat model. Security researchers did not dispute that point, but said the design still made post-compromise credential theft easier because all stored passwords were available in one place once Edge was open. (malwarebytes.com) Proton said on May 6 that the issue was not about whether passwords were encrypted on disk, but about how much password data became readable at once after launch. The company said that if malware, a compromised administrator account or another attacker gained access to the session, credentials for every account saved in Edge could be exposed. ### What did Microsoft say when it announced the fix? (malwarebytes.com) Gareth Evans, Microsoft Edge security lead, said Microsoft was making a “defense-in-depth” change that would come to every supported Edge version, including Stable, Beta, Dev, Canary and Extended Stable. He said the company was “prioritizing the rollout” and linked the move to Microsoft’s Secure Future Initiative and customer feedback. (proton.me) Microsoft said the reported scenario still fell within Edge’s existing threat model, which excludes attacks in which an adversary already has administrative control of a device. Even so, Evans said reducing the exposure of passwords in memory was “a practical step” toward lowering risk. ### Does this affect every Edge user in the same way? (bleepingcomputer.com) Microsoft’s support documentation shows the company is already changing how Edge authenticates password access on devices. The company said Custom Primary Password stopped being available to new users on March 5, 2026, and that on June 4, 2026, the feature will be fully removed for opted-in users in favor of device-based authentication such as Windows Hello, Touch ID or system sign-in. (bleepingcomputer.com) That support page says Edge will require device authentication before viewing or autofilling saved passwords once the newer system is in place. The memory-handling change announced this week is separate, but it lands as Microsoft continues to rework password management around Edge and Microsoft Password Manager. ### When will the new behavior reach mainstream Edge releases? (support.microsoft.com) Microsoft said the fix is already live in the Canary channel and will be included in the next update for supported Edge releases in build 148 and newer. The rollout covers Stable, Beta, Dev, Canary and Extended Stable, according to Evans’ statement reported on May 15. (support.microsoft.com) June 4, 2026, is the other concrete date in Microsoft’s password roadmap. That is when Edge will automatically move remaining Custom Primary Password users to device-based authentication, according to Microsoft’s support page. (support.microsoft.com) (bleepingcomputer.com)