Microsoft Edge saves passwords in cleartext 'by design' and researchers argue 'this turns into a credential harvest' on shared PCs
A Norwegian cybersecurity researcher recently spotted that passwords in Microsoft Edge are saved in memory in cleartext. Thus exposing all passwords to anyone that might wish to peek behind the curtain, providing they can gain access to the PC through other means, including a shared admin.
The researcher, Tom Jøran Sønstebyseter Rønning, says, "Edge is the only Chromium‑based browser I’ve tested that behaves this way."
When Rønning reported this to Microsoft, they were reportedly told this behaviour is "by design."
Rønning clarifies that Edge decrypts every credential at startup, regardless of whether you visit a site using those credentials. This doesn't mean that one can simply access those passwords with little know-how, though. A user needs administrative access to a terminal server, which is already a major breach on a computer, but from here, "they can access the memory of all logged‑on user processes."
Importantly, one could have administrative rights on one account and use that to compromise the stored credentials for other logged-in users. Rønning posted an Edge password dumper tool on GitHub that simulates this process.
One could argue that if a user has admin rights, they can already cause havoc on a rig if they have access, and that's true. But something worth considering is that many PC users will have admin rights on their accounts as a default. And even if you have admin rights, you often have to use passwords to get access to password managers, or even use two-factor authentication. Cleartext saved passwords, as argued by International Cyber Digest, means "in shared environments, this turns into a credential harvest."
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLBMay 4, 2026
Last year, researcher @LopezLucio666 reported this to Microsoft, and it said, "after careful investigation, this case has been assessed as not a vulnerability and no security and does not meet Microsoft's bar for immediate servicing."
Chrome, inversely, decrypts credentials when required, so it doesn't keep them decrypted in memory at all times. It binds decryption to an authenticated Chrome process, which means other processes on the machine can't duplicate the process of Chrome's encryption keys.
Microsoft's "password manager security" web page / FAQ does briefly address this point, but argues "Even if an attacker has admin rights or offline access and can get to the locally stored data, the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in. "
The research of Rønning and others suggests the system is not quite doing its job in preventing attackers from getting those plaintext passwords, so hopefully the noise around its discovery can urge Microsoft to give it another look. We have reached out to Microsoft for comment on this story.