Skip to content

Microsoft Edge: No More Plaintext Passwords in Browser Process

(Image: Dirk Knop / heise medien). Microsoft’s Edge previously loaded all passwords from the password manager at startup and kept them in plaintext in the process memory. But not anymore. Two weeks ago, it caused a stir that Microsoft’s web browser Edge loads all passwords from the password manager at startup – and keeps them in plaintext in process memory. After the media reports, the developers responded, and updated browser versions no longer do this. In the release notes for Microsoft Edge [1] for the update from Friday, the developers stated that they have solved the problem. They write that they have made changes to the password manager. These are intended to ensure that passwords are no longer loaded into memory at browser startup. A blog post provides [2] further information. First, the programmers explain that Edge’s previous behavior was consistent with the expected threat model based on existing criteria. The risk arose from the fact that an attacker had already compromised the device. Nevertheless, they see room for improvement. As a first measure, Microsoft Edge no longer loads passwords into memory at startup. The update is being rolled out with prioritization for Microsoft Edge version 148 and newer. Users of the Edge password manager do not need to do anything; the change should arrive through the regular update channel. Error report handling not ideal. The developers also write that they will take a closer look at how such error reports are handled. The initial response to the bug report from Tom Jøran Sønstebyseter Rønning was based on specific criteria for the Chromium project. This is to be understood as a baseline, but Microsoft wants to set a higher bar for itself. The process for handling bug reports from IT researchers will be reviewed again. The developers want to strengthen the focus on speed, clarity, and a defense-in-depth approach, and start earlier with this approach. About two weeks ago, we were able to reproduce the problem easily. A freshly created account in Microsoft’s password manager meant that after a browser restart, the password could be found in plaintext in a dump of the process memory [3]. The test with a current Microsoft Edge version, specifically 148.0.3967.70, no longer easily yields the password when searching process memory. Users of the Chromium-based Edge should therefore ensure that their browser is up to date. See also: Microsoft Edge [4] at heise download. (dmk [6]). URL of this article: https://www.heise.de/-11296765. Links in this article: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel#version-1480396770-may-15-2026-stable https://microsoftedge.github.io/edgevr/posts/Saved-passwords-in-Edge-memory-what-were-changing-and-why/ https://www.heise.de/news/Microsoft-Edge-Passwoerter-landen-als-Klartext-im-Speicher-11281407.html https://www.heise.de/download/product/microsoft-edge-97196?wt_mc=intern.red.download.tickermeldung.ho.link.link https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp mailto:dmk@heise.de Copyright © 2026 Heise Medien

heise security News

Share on:
Tags: