We’ve all been there: clicking "Save Password" to avoid the headache of remembering a 16-character string of gibberish. It’s convenient, it’s fast, and we trust our browsers to keep those digital keys under lock and key. However, a recent discovery by security researchers suggests that if you’re using Microsoft Edge, those keys might be sitting on your "front porch" in plain sight.
Security expert Tom Jøran Sønstebyseter Rønning recently revealed a startling behavior in Microsoft Edge: the browser reportedly loads all saved passwords into the computer's memory as plaintext the moment the application starts. In the world of cybersecurity, "plaintext" is a polite way of saying "totally unencrypted and readable by anyone (or anything) with the right access."
The "Always-On" Vulnerability
The core of the issue isn't just that the passwords are unencrypted in memory, but how they stay there. Most modern browsers try to keep your sensitive data "shredded" or locked away until the exact millisecond you need to log into a site.
According to Rønning’s findings, presented at the Big Bite of Tech 26 event, Edge takes a different path. It decodes your entire vault and keeps it sitting in the system memory (RAM), even for websites you haven't visited during your current session. To prove the point, Rønning even released a tool called EdgeSavedPasswordsDumper, demonstrating how easily an "infostealer" malware or a malicious actor with admin rights could scrape those passwords directly from the browser's process memory.
Why This Matters for the Modern Office
While a solo user at home has some layer of protection, this discovery is a major red flag for corporate environments. Many businesses rely on shared systems like Citrix, Terminal Servers, or Virtual Desktop Infrastructure (VDI).
In these setups, multiple users are often logged into the same powerful machine simultaneously. If an attacker gains high-level access to that one machine, they don't just get one person's data—they could potentially harvest the plaintext passwords of every single user currently logged in, even if those users aren't actively browsing. As security expert Morey Haber noted, a password that sits in clear text memory stops being a security tool and starts being a liability.
Microsoft’s Stance: Performance vs. Protection
When confronted with these findings, Microsoft’s response was essentially: this is by design. The tech giant argues that there is a delicate balance between browser speed and security. Their logic is that if a hacker has already gained enough access to your system to scan its deep memory, your device is already "pwned" (compromised), and the plaintext passwords are just one of many problems you'll face.
However, competitors like Google Chrome have moved toward "App-Bound Encryption," which ties the data to the specific app and only decrypts it on-demand. By choosing performance over this extra layer of "defense-in-depth," Edge leaves a window open that many experts feel should be bolted shut.
Thinking Beyond the Browser Vault
This revelation highlights a growing trend in the cybersecurity community: the "de-centralization" of secrets. Relying on your browser to be your primary security vault is increasingly seen as a "convenience tax" that might be too expensive to pay.
If you want to stay ahead of these risks, here are two fresh perspectives to consider:
- The Rise of Kernel-Level Protection: We are seeing a new wave of security tools that protect memory at the "kernel" level (the very heart of the OS), preventing unauthorized apps from "peeking" at what other apps are doing.
- Dedicated Password Managers: Moving your data to a dedicated manager (like Bitwarden, 1Password, or Keeper) keeps your credentials out of the browser's memory entirely. These apps are built specifically to handle secrets, whereas browsers are built to display websites—and sometimes, those two goals conflict.
The "broken trust" here isn't that Edge is insecure, but that it handles sensitive data with a level of transparency that feels outdated in 2026. If your browser is essentially leaving your house keys on the kitchen table, it might be time to invest in a better safe.
What do you think? Do you prioritize the speed of your browser, or are you willing to take a performance hit for better encryption? Let us know in the comments or share this with someone who still saves their bank passwords in their browser!
Originally featured on: Hackread
