Microsoft backpedals: Edge to stop loading passwords into memory Home News Microsoft Microsoft backpedals: Edge to stop loading passwords into memory Sergiu Gatlan May 15, 2026 10:49 AM Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use.
Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users' Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user). He also said he reported the issue to Microsoft and was told the behavior was "by design" before he publicly disclosed it. "Edge is the only Chromium‑based browser I've tested that behaves this way.
By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory," the researcher said . While it initially refused to address the issue, telling BleepingComputer at the time that "this is an expected feature of the application," Microsoft announced on Wednesday that future versions of Edge will no longer load saved passwords into memory on startup, even though the reported scenario falls within the expected existing threat model (which excludes attacks where an adversary already has administrative control of a device). "This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we're prioritizing the rollout," said Microsoft Edge Security Lead Gareth Evans . "With our commitment to the Secure Future Initiative and customer feedback, we are taking a broader view.
That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction." The fix is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer).
Last year, Microsoft also introduced a new Edge security feature to protect users against malicious extensions sideloaded into the web browser, and restricted access to Edge's Internet Explorer mode after hackers began leveraging zero-day exploits in the Chakra JavaScript engine to access target devices. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network?
They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Microsoft: Some Teams users can’t join meetings after Edge update Firefox now has a free built-in VPN with 50GB monthly data limit Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026 Microsoft warns of Exchange zero-day flaw exploited in attacks Microsoft to automatically roll back faulty Windows drivers Browser Microsoft Microsoft Edge Passwords Web Browser Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade.
Email or Twitter DMs for tips. IhateMicroSoft 19 hours ago I guess that is one way to avoid paying out a bug bounty. "By design!", now lets fix it and do the right thing, without paying out. Mr.Tom ""this is an expected feature of the application" They probably call all those 120 flaws they fixed Tuesday "features" too. NoneRain 18 hours ago classic Microslop Post a Comment Community Rules You need to login in order to post a comment Not a member yet?
Register Now You may also like: Upcoming Webinar Popular Stories Windows BitLocker zero-day gives access to protected drives, PoC released Dell confirms its SupportAssist software causes Windows BSOD crashes OpenAI confirms security breach in TanStack supply chain attack Sponsor Posts Are stolen sessions bypassing your security? Find out for free. 12 steps to defend against AI-powered exploits before the Glasswing report drops Overdue a password health-check?
Audit your Active Directory for free https://www.nmftacyber.com/ Login Username Password Remember Me Sign in anonymously Sign in with Twitter Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT