Microsoft Edge It has been found to store all passwords in plain text when loaded into memory at startup, making passwords much easier to read and extract by malware or hackers. cybersecurity researcher @L1v1ng0ffTh3L4N posted about the exploit in X, and says “Edge is the only Chromium-based browser I’ve tested that behaves this way.”
“When you save passwords in Edge, the browser decrypts each credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.” says the security researcher. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged-in user processes.”
Microsoft Edge loads all your passwords saved in memory in clear text, even when you’re not using them. pic.twitter.com/ci0ZLEYFLBMay 4, 2026
We reached out to Microsoft for comment and a spokesperson issued the following statement:
“Security and protection are critical for Microsoft Edge. Accessing browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review them in the face of evolving threats. Browsers access password data in memory to help users log in quickly and securely. This is an expected feature of the app. “We recommend users install the latest security updates and antivirus software to help protect against security threats.”
That means Microsoft is aware of this behavior and doesn’t consider it a big problem. In fact, it appears that Edge loads all passwords into memory using plain text by design, as it speeds up the login and authentication process for the end user.
Instead of addressing this behavior, Microsoft recommends that users ensure their PCs are updated with the latest security patches to help protect against installing malware that could exploit this design in Microsoft’s browser.
Ultimately, it’s clear that Microsoft isn’t too worried about this potential issue, at least for now. While other browsers will only load passwords into memory using plain text when prompted, Edge will apparently continue to load all passwords into memory in plain text upon startup.
Join us at Reddit at r/WindowsCentral to share your ideas and discuss our latest news, reviews and more.
