Normal view

Microsoft is changing Edge’s plaintext password behavior

18 May 2026 at 12:42

Microsoft said it will change Edge’s password handling as a “defense‑in‑depth” measure.

Originally, Edge decrypted the entire saved‑password store on startup and kept all credentials resident in process memory in clear text for the whole browser session, regardless of whether a given credential was ever used or not.

A short while ago, Microsoft said this plaintext password behavior was by design. Now, Microsoft has changed course, and the new password-handling behavior is already present in Canary (the experimental preview version of Microsoft Edge), with rollout prioritized across all channels.

The researcher who originally flagged the issue said:

“Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.”

Microsoft Edge Security Lead Gareth Evans said Microsoft is now taking a broader view and has committed to changing Edge so that saved passwords are no longer loaded into memory on startup as clear text. As a result, exposure will be reduced as a defense‑in‑depth improvement. That means even if an attacker has administrative control of a device, it becomes harder to harvest all the passwords.

According to Microsoft:

“Going forward, Microsoft Edge will no longer load all saved passwords into memory at browser startup. Instead, passwords will be decrypted only when needed for autofill or password management operations.”

The change is already live in the Edge Canary channel and will be included in the next update for all supported Edge releases (build 148 and newer across Stable, Beta, Dev, Canary, and Extended Stable).

The reason for this change is probably more reputational and strategic rather than an acknowledgment of an exploitable vulnerability. Microsoft seems to want to align reality with its “secure by design” messaging and reduce a very visible, easy‑to‑demo weakness, even if it still doesn’t treat it as a classic memory‑disclosure bug.

Passwords in your browser

Please note that this change just means Edge will become roughly as secure an option to store passwords as every other Chromium-based browser.

Your browser password manager gives you ease of use, but that comes with some security tradeoffs. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident a website is safe, and anyone who can access it under your account wouldn’t learn anything sensitive, feel free to store the password in your browser, but disable autofill so you stay in control.

Use MFA where possible. It enormously reduces the risk if someone gets hold of your password. And avoid using the browser password manager to store your credit card details or other sensitive personally identifiable information, such as medical information.


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Microsoft says Edge’s plaintext password behavior is “by design”

8 May 2026 at 14:48

Some time ago, we discussed whether you should allow your browser to remember your passwords.

In that article we mentioned the importance of encryption.

With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).”

The typical behavior of browser password managers is to store passwords encrypted on disk, tied to your user account, and protected by the operating system.

But recently, a security researcher systematically tested every major Chromium-based browser for how they handle credentials in memory. The researcher found that Edge was the only one loading the entire password vault into plaintext process memory at startup, where it remains for the duration of the session.  

Chrome and other Chromium browsers were observed to only decrypt a password when needed (autofill or “show password”), not the whole vault, and to use mechanisms like app‑bound encryption for keys. Edge does not use those protections in this context.

So, the researcher decided to write a proof-of-concept (PoC) demonstrating that accessing that vault doesn’t rely on zero-days or complex exploitation. It relies on the relatively simple ability to read process memory, which does require elevated privileges.

But when the researcher reported the issue to Microsoft, the response was underwhelming. The company’s official response was that the behavior is “by design.” The reasoning most likely is that this behavior speeds up sign‑in and autofill, and attackers would already need a compromised machine or elevated access to read RAM, which Microsoft treats as out of scope for this design decision.

Which is basically true. An attacker already needs significant foothold: for example, code execution on the box and the ability to read Edge’s process memory, often requiring elevated privileges. This is not a remote, unauthenticated bug in the browser, but the design makes post‑compromise credential harvesting easier. And it’s a capability many infostealers already have.

It’s just another thing an attacker can do once they’ve compromised your machine. Combined with this academic study from 2024, which found many password managers leak plaintext passwords into memory under some conditions, it leads us to repeat our advice.

Should you allow your browser to remember your passwords?

Your browser password manager gives you ease of use, but that costs you some security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident the website is safe, and anyone that can access it under your account won’t learn anything new, feel free to store the password in your browser, but disable autofill so you stay in control.

Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information, such as medical information.

But we’d add that, among the major browsers, Edge appears to be the weakest option if you still choose to use a built‑in password manager.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Browser Guard gets even better with Access Control 

16 April 2026 at 14:40

Have you ever been on a website when a pop-up suddenly asked for access to your camera, microphone, location, or notifications? Whether you clicked “allow,” dismissed it, or just wondered why it appeared, those permission requests aren’t always harmless. Some sites can abuse those permissions.

With Access Control, a new feature in Browser Guard, you decide exactly which websites can access your device and stop the rest. That means you choose which websites can: 

  • Use your camera
  • Use your microphone
  • Access your location
  • Send you notifications 

Further, not only can you control which websites have access to your devices, but you can also block websites or even require those specific sites to request permission every single time they try to gain access to your machines. You can always allow trusted sites to access your camera or location while blocking everything else.  

Access Control is now available for Malwarebytes subscribers using Chrome and Edge browsers on a Windows device. 

How to use Access Control 

We designed Access Control to be both powerful and simple because we know every moment you spend getting set up is another moment you’re left unprotected.  

How to use Access Control:  

  • Install/Open Browser Guard: Click the Malwarebytes icon in your browser’s header 
  • Access Dashboard: Click the Dashboard tab at the bottom of the extension panel. 
  • Navigate to Access Control: On the left sidebar of the web page, select Access Control. 
  • Manage Permissions: See visited websites, click “Allow” to enable or disable Malwarebytes’ ability to see visited sites.
  • Access Control requires some access to your browsing to protect you online
  • Access Control lets you choose individual sites to block and allow

This feature is rolling out in beta first, so you might see improvements and updates as we refine it. Currently, the feature works across Chrome and Edge, but will roll out to other browsers soon.  

Access Control is another step toward making privacy simple and accessible.  Not a subscriber yet? Check out  Malwarebytes’ plans today to unlock this feature and more. 


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

❌