Microsoft Edge has been found to store all passwords in clear text when loaded into memory at startup, making passwords much easier to read and crack by malware or hackers. Cyber Security Researcher @L1v1ng0ffTh3L4N He wrote about exploitation in X and says “Edge is the only Chromium-based browser I’ve tested that behaves like it.”
“When you save passwords in Edge, the browser decrypts each credential when it starts and stores them in process memory. This happens even if you never visit a site that uses those credentials,” claims the security researcher. “If an attacker gains administrative access to a terminal server, he can access the memory of all logged-in user processes.”
Microsoft Edge remembers all your saved passwords in clear text — even when you’re not using them. pic.twitter.com/ci0ZLEYFLBMay 4, 2026
We’ve reached out to Microsoft for comment, and a spokesperson issued the following statement:
“Safety and security are central to Microsoft Edge. Accessing browser data, as described in the reported scenario, would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access in-memory password information to help users log in quickly and securely – this is an expected feature of the app. We recommend that users install the latest security updates and anti-virus software to protect against security threats.”
This means that Microsoft is aware of this behavior and does not consider it to be much of a problem. In fact, it sounds like Edge loads all passwords into memory using plaintext, as this speeds up the login and authentication process for the end user.
Instead of eliminating this behavior, Microsoft recommends that users keep their computers updated with the latest security patches to help protect against the installation of malware that might exploit this design in the Microsoft browser.
Ultimately, it’s clear that Microsoft isn’t too worried about this potential problem, at least not yet. While other browsers only cache passwords using plaintext when prompted, Edge will continue to cache all passwords in plaintext after launch.
Join us Reddit at r/WindowsCentral to share your thoughts and discuss our latest news, reviews and more.
