Follow : Add us as a preferred source on Google.

Key takeaways

• Microsoft Edge will no longer store your passwords in plaintext in RAM.
• The behavior occurred if you used the Edge browser as your password manager.
• The change takes effect in Edge version 148 or later.

Do you use Microsoft Edge to save and manage your website passwords? If so, you should now feel safer that your passwords will be better protected from security risks.

In a recent post by Microsoft Edge Security Team Lead Gareth Evans, the company announced that it will no longer store your plaintext passwords in Edge in memory. The change comes in response to a recent finding that questioned the safety and security of your stored passwords.

Also: How to check your Windows PC for expiring security certificates - a big one ends in June

A security researcher found that Edge was storing your plaintext passwords in memory when you used the browser to manage them. In a social media post, researcher Tom Jøran Sønstebyseter Rønning explained how the process worked and posted a video showing it in action.

"When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory," Rønning said. "This happens even if you never visit a site that uses those credentials. At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI -- yet the browser process already has them all in plaintext."

Microsoft called behavior an expected feature 

On GitHub, Rønning posted the code he created to detect this behavior. Dubbed EdgeSavedPasswordsDumper, the code demonstrates that any credentials stored by someone using the Microsoft Password Manager in Edge are saved in plaintext in the Edge process memory.

In a statement shared with , Microsoft acknowledged this behavior but said that it's an expected feature and would pose a risk only if your device was already compromised.

Also: Microsoft is finally bringing the movable taskbar to Windows 11 - here's who can try it now

"Access to browser data as described in the reported scenario would require the device to already be compromised," a Microsoft spokesperson said in the statement. "Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely -- this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."

Microsoft's claim that your device would already need to be compromised appears to ring true, at least based on Rønning's testing. As shown in a video, the process is predicated on an attacker having already compromised a user account with administrative rights, which would then give them access to the memory of all logged‑on user processes, with the plaintext passwords viewable.

Despite its claim that this was intended behavior, Microsoft reversed its position.

"We will no longer load passwords into memory on startup," Evans said in his post. "This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we're prioritizing the rollout. The change is live now in Edge Canary and included in the next update for all Edge releases, build 148 and newer."

Version 148 has already been released, so you should be better protected after updating. To do this, click the three-dot Settings icon at the top, go to Help and feedback, and select About Microsoft Edge. The latest update will automatically download and install. Restart Edge, and the new version will be in place. Beyond installing the latest version, you don't need to take any special action.

While Microsoft's original justification may have been valid, this type of behavior seemed unique to Edge's password manager. Rønning said that Edge is the only Chromium‑based browser he's tested that acts this way. In contrast, Google Chrome decrypts credentials only when needed rather than keeping all passwords in memory at all times. Chrome's design makes it far more difficult for an attacker to extract saved passwords by simply reading the device's memory, Rønning added.

"Despite Edge being Chromium-based, none of the other Chromium-based browsers I have tested are using Microsoft Password Manager to store passwords and autofill data," said Rønning. "And I doubt that's based on Chromium?"

Also: These 5 critical Windows Defender settings are off by default - turn them on ASAP

In response to Rønning's post, another person said that the credentials could be stored in memory in an encrypted format. They would be decrypted only when required to sign in to a website and then immediately wiped thereafter.

"From a defensive perspective, storing passwords in clear-text memory violates the principles of least privilege, zero trust, and secure application design," Morey Haber, chief security advisor at security provider BeyondTrust, told . "It is simply just a bad idea. If a password can be read in memory by a human or malicious process, it is no longer a protected secret. It is already compromised in principle through clear-text storage in an already insecure medium."

Pitfalls of using your browser's built-in password manager  

Initially, I recommended that Edge users find an alternative way to manage their passwords. Now that Microsoft has fixed this security flaw, I think you can rely on Edge's password manager.

However, my advice to switch to a dedicated third-party password manager still stands. Yes, using your browser's built-in password manager seems quick and convenient. But there are some pitfalls.

If someone gains access to your PC or mobile device via your password, PIN, or passcode, they could launch your browser and use the same method to view your passwords. I've tried this on a Windows PC using just my PIN and was able to access plaintext passwords in Edge. A good third-party password manager requires stronger authentication to view your passwords.

Also: The best password managers: Expert tested

A built-in password manager works just with that specific browser. You can use Edge as your default, but you might sometimes turn to Chrome or Firefox. In that case, your stored passwords wouldn't be available. I use Firefox, Chrome, and Edge both personally and professionally, so my passwords need to be accessible across all three.

If you use only Edge, then sure, you can stick with it as your password manager. But if you also want to use other browsers, then a third-party password manager is still your best bet.

Security

Your Android phone's most powerful security feature is off by default and hidden - turn it on ASAP

As ransomware recedes, a new more dangerous digital parasite rises

Your PC's critical security certificates may be about to expire - how to check

How to lock down your iPhone to the extreme - so even the FBI can't get in

• Your Android phone's most powerful security feature is off by default and hidden - turn it on ASAP
• As ransomware recedes, a new more dangerous digital parasite rises
• Your PC's critical security certificates may be about to expire - how to check
• How to lock down your iPhone to the extreme - so even the FBI can't get in