Skip to content

Microsoft Backs Down: Edge Will No Longer Load Passwords in Memory

The bottom line: Microsoft will update its Edge browser to stop loading stored passwords in memory at startup. This follows pressure from security researchers and customers, despite Microsoft initially defending the practice as intentional.

After initial resistance, Microsoft has committed to updating its Edge browser and will stop loading stored passwords unencrypted into memory at startup. This comes after a security researcher revealed the vulnerability.

A security researcher has uncovered that Microsoft’s Edge browser decrypts all stored passwords at startup and keeps them permanently in memory – even when not actively in use. Tom Jøran Sønstebyseter Rønning published a proof-of-concept tool in May that allows attackers with administrator privileges to read passwords from other Edge processes. Microsoft initially responded defensively, calling the behavior “intentional functionality.” Rønning observed that Edge was the only browser among all tested Chromium-based browsers that behaved this way. Google Chrome, by contrast, uses a security design that makes it significantly harder to steal passwords simply by reading memory. Under pressure from customer feedback, Microsoft announced on Wednesday that future Edge versions will no longer load passwords into memory at startup. This will be rolled out across all supported channels – Stable, Beta, Dev, Canary, and Extended Stable for enterprise customers. Microsoft’s Edge Security Lead Gareth Evans emphasized that this improvement in defense-in-depth aligns with the company’s commitment to the “Secure Future Initiative” and is based on broader customer feedback. The fix is already available in the Edge Canary channel and will be rolled out in upcoming updates starting with Build 148.

Share on: