If you save passwords in Microsoft Edge, there’s a security risk you should know about. According to a new disclosure, whenever you open Edge, the browser immediately loads all saved passwords into memory in readable form — not just the password for the website you’re logging into. That means credentials for every account saved in Edge could be exposed if malware, a compromised admin account, or another attacker gains access to your device or user session.

The finding was disclosed by security researcher Tom Jøran Sønstebyseter Rønning(ventana nueva), who says Microsoft’s response was that the behavior is “by design.”

Microsoft’s own documentation says Edge encrypts saved passwords on disk using AES (Advanced Encryption Standard) and acknowledges that passwords can be exposed if the user session or device is compromised. The new disclosure does not dispute that but raises a different concern: Edge loads all saved passwords into readable memory as soon as the browser launches, making memory scraping far more valuable if an attacker gains sufficient access.

This comes a year after Microsoft narrowed password management around Edge by phasing out password storage and autofill in Microsoft Authenticator, pushing users who wanted to keep using Microsoft’s password features toward its own browser.

How Microsoft Edge handles saved passwords

Passwords are supposed to be protected by encryption when stored: Encryption turns a readable password (plaintext) into unreadable data (ciphertext). To use that password for autofill, a browser eventually has to decrypt it back into readable form. The important question is: How much password data becomes readable at once?

Security researcher Tom Jøran Sønstebyseter Rønning says Microsoft Edge loads all saved passwords into the browser’s memory in plaintext as soon as it launches, instead of only decrypting a specific password when it’s needed. This includes all passwords saved in the Edge password manager, even those for websites you don’t visit or autofill during the current browsing session.

A terminal showing how Microsoft Edge keeps saved passwords exposed in plaintext
Source: @L1v1ng0ffTh3L4N on X

That makes Edge’s re-authentication prompt feel misleading: The interface asks you to prove your identity before revealing a password, although the browser process already has every saved password available in readable form.

The researcher tested this behavior across multiple Chromium-based browsers, including Google Chrome, Brave, Vivaldi, Opera, and Microsoft Edge. Only Edge exhibited this behavior.

It’s enough to just leave Microsoft Edge open

Security researcher Rob VandenBrink, writing for SANS Internet Storm Center(ventana nueva), reproduced the issue by leaving Microsoft Edge open and analyzing a memory dump of the running browser session. He demonstrated how a logged-in Windows user can dump their stored Edge credentials without additional rights, which also means malware running as that user could potentially access those credentials too.

Two side-by-side panels showing how to easily create a memory dump file for Microsoft Edge using the Windows Task Manager and how to easily view all saved passwords in the captured DMP file
Source: Rob VandenBrink on SANS Internet Storm Center

One compromised session can expose all your passwords

If an attacker gains sufficient access to the device or user session, they may be able to inspect the browser’s memory. If only one password is decrypted when needed, the attacker has a smaller window and less data to capture. But if every saved password is already sitting in memory unprotected by encryption, memory scraping becomes far more valuable.

The risk is especially serious in shared environments, such as terminal servers, remote desktops, virtual desktop infrastructure, or systems where multiple users are logged in at the same time. A compromised admin account could extract saved credentials from other logged-in users, including disconnected sessions where Edge was still running.

What to do if you saved passwords in Microsoft Edge

This doesn’t mean every Microsoft Edge user has been hacked, but individuals and organizations should reconsider whether Edge is the right place to store credentials. Here’s what you can do to stay safe:

  • Stop saving new passwords in Microsoft’s browser and turn off the Edge password manager.
  • Move your saved credentials to a secure password manager. You can easily import Edge passwords into Proton Pass.
  • Delete passwords saved in Edge after migration.
  • Change high-risk passwords and make them unique, starting with email, financial accounts, admin tools, password reset inboxes, and work accounts. Our password manager has an integrated tool for this purpose, but you can also use our password generator.
  • Enable two-factor authentication (2FA) or passkeys where possible, which helps to reduce the damage if a password is exposed. Proton Pass supports passkeys and 2FA for all your saved accounts. You can also use our authenticator app to securely manage access to your Proton Account.
  • For IT teams: Review Edge password policies and disable browser password storage to reduce organizational risk. A centrally controlled business password manager is superior to employees storing passwords on individual browsers.

Your passwords deserve better than Microsoft Edge

The Microsoft Edge disclosure is a reminder that your most sensitive credentials shouldn’t be stored in a password manager owned by a company that treats this kind of exposure as expected behavior, even though it raises obvious security concerns for individuals and organizations.

With Proton Pass, your passwords, aliases, passkeys, and 2FA codes are protected by end-to-end encryption, and you stay in control of where and how you use them.

Create a free Proton Pass account