On April 29, researcher Tom Jøran Sønstebyseter Rønning, posting as @L1v1ng0ffTh3L4N, presented findings showing that Microsoft Edge decrypts every saved password at startup and holds all of them in process memory, in cleartext, for the entire browser session. The researcher reports that this includes both passwords for sites the user is visiting and every credential the user’s ever saved. The passwords are held in memory from the moment Edge opens.
Uzair Gadit, Founder & CEO, Secure.com
“What makes this Edge finding unusual is not just the technical behavior, it is the assumption behind it. Users are told to follow best practices, use strong passwords and use a password manager, and they did. The problem is the software holding those credentials made a design decision that fundamentally changes the risk, and most users were never made aware of it.
“On its own, requiring administrative access might sound like a limiting factor. In reality, that’s exactly where many enterprise breaches begin. Once an attacker gains privileged access in a shared environment like RDS or Citrix, the difference between decrypting credentials on demand versus holding them all in memory becomes significant. It can turn a single compromised account into a broad credential exposure event across multiple users.
“This is where the cyber sector needs to shift its thinking. We have spent years telling users to improve password hygiene, but this isn’t a hygiene problem, it’s an exposure problem. The question is no longer just how strong a password is, but how long it exists in a usable state, where it exists, and who or what can access it there.
‘The architectural difference highlighted here is important: minimizing the time credentials exist in plaintext reduces risk. Keeping everything decrypted for convenience increases it. Both are intentional design choices, but only one aligns with how attackers increasingly operate, especially with automation and AI make it easier to move laterally once access is established.
“World Password Day tends to focus attention on user behavior. This is a reminder that the bigger risk often sits one layer below that, in the design decisions made by those producing the tools people are told to trust. If those decisions prioritize usability over exposure reduction, then even a user’s perfect password hygiene won’t consistently deliver the security outcome their organizations expect.
“The real takeaway isn’t that passwords are weak, it’s that credential exposure still isn’t being treated as a first-order risk in system design. Until that changes, attackers will continue to focus less on breaking in and more on taking advantage of what’s already available once they are inside.”
This is pretty bad and it is a epic problem that needs to be addressed. I would be very interested to see how Microsoft addresses this as they are the only Chromium based browser to have this issue.
Related
This entry was posted on May 5, 2026 at 11:17 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Edge Exposes Passwords In Cleartext
On April 29, researcher Tom Jøran Sønstebyseter Rønning, posting as @L1v1ng0ffTh3L4N, presented findings showing that Microsoft Edge decrypts every saved password at startup and holds all of them in process memory, in cleartext, for the entire browser session. The researcher reports that this includes both passwords for sites the user is visiting and every credential the user’s ever saved. The passwords are held in memory from the moment Edge opens.
Uzair Gadit, Founder & CEO, Secure.com
“What makes this Edge finding unusual is not just the technical behavior, it is the assumption behind it. Users are told to follow best practices, use strong passwords and use a password manager, and they did. The problem is the software holding those credentials made a design decision that fundamentally changes the risk, and most users were never made aware of it.
“On its own, requiring administrative access might sound like a limiting factor. In reality, that’s exactly where many enterprise breaches begin. Once an attacker gains privileged access in a shared environment like RDS or Citrix, the difference between decrypting credentials on demand versus holding them all in memory becomes significant. It can turn a single compromised account into a broad credential exposure event across multiple users.
“This is where the cyber sector needs to shift its thinking. We have spent years telling users to improve password hygiene, but this isn’t a hygiene problem, it’s an exposure problem. The question is no longer just how strong a password is, but how long it exists in a usable state, where it exists, and who or what can access it there.
‘The architectural difference highlighted here is important: minimizing the time credentials exist in plaintext reduces risk. Keeping everything decrypted for convenience increases it. Both are intentional design choices, but only one aligns with how attackers increasingly operate, especially with automation and AI make it easier to move laterally once access is established.
“World Password Day tends to focus attention on user behavior. This is a reminder that the bigger risk often sits one layer below that, in the design decisions made by those producing the tools people are told to trust. If those decisions prioritize usability over exposure reduction, then even a user’s perfect password hygiene won’t consistently deliver the security outcome their organizations expect.
“The real takeaway isn’t that passwords are weak, it’s that credential exposure still isn’t being treated as a first-order risk in system design. Until that changes, attackers will continue to focus less on breaking in and more on taking advantage of what’s already available once they are inside.”
This is pretty bad and it is a epic problem that needs to be addressed. I would be very interested to see how Microsoft addresses this as they are the only Chromium based browser to have this issue.
Share this:
Like this:
Related
This entry was posted on May 5, 2026 at 11:17 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.