Microsoft Edge storing passwords as plain text? Microsoft responds.

Password managers are supposed to make life easier for users by remembering their passwords and keeping them secure.

However, one cybersecurity researcher has discovered a quite concerning development regarding Microsoft Edge and how the web browser’s password manager behaves.

According to researcher Tom Jøran Sønstebyseter Rønning, Microsoft Edge loads every saved password into memory at startup — in plaintext.

In a thread on X, Rønning detailed how the credentials are decrypted even if a user doesn’t visit a site that uses the password manager during the user session.

This Tweet is currently unavailable. It might be loading or has been removed.

“If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes,” ​​Rønning writes.

Edge is Microsoft’s proprietary web browser based on the Chromium open-source project, the code base developed and maintained by Google. However, as Rønning shared, this issue involving plain text credentials does not appear in other Chromium-based browsers like Google Chrome.

“Edge is the only Chromium‑based browser I’ve tested that behaves this way,” says ​​Rønning. “By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.”

​​Rønning says he first reached out to Microsoft regarding his findings before publicly disclosing the issue. According to the cybersecurity researcher, Microsoft responded by saying this behavior in Microsoft Edge was “by design.”

The German tech website Heise Online replicated the password issue. The site also noted that, according to well-established cybersecurity best practices, “passwords should only be decrypted at the time of use and deleted from memory very shortly thereafter.”

Given Microsoft’s alleged response to Rønning, users concerned about the potential issue should consider alternative password managers.

Mashable has reached out to Microsoft for more information regarding the recent findings. We will update this piece if we hear back.