What if I told you that your web browser was saving all your passwords to memory, and doing so in plaintext? Buckle up, Microsoft Edge users, you are in for a wild ride.

A security researcher has gone public to disclose a vulnerability affecting all Edge browser users after Microsoft told him the security issue was by design. “Microsoft Edge loads all your saved passwords into memory in cleartext,” Tom Jøran Sønstebyseter Rønning said, “even when you’re not using them.” Yes, whenever you save passwords using Microsoft Edge, it decrypts them at startup and then keeps them sat right there in process memory, even, Rønning warned, “if you never visit a site that uses those credentials.” Here’s the thing, though, despite Edge being a Chromium-based browser, Chrome itself does not display this behavior. Which begs the question: Is it time to switch from Edge to Chrome, or another Chromium-based browser?

The Microsoft Edge Saved Passwords Security Vulnerability Explained

The issue that has been disclosed by Rønning and comes complete with a proof of concept does not have a Common Vulnerabilities and Exposures designation, so some might say it isn’t a vulnerability at all. To which I reply, poppycock. According to the OED vulnerability is defined as “the quality or state of being exposed to the possibility of being attacked or harmed.” Leaving decrypted, plaintext passwords sitting in process memory after startup, regardless of whether they are being used or not during that session, certainly does that.

Of course, things are never quite as black and white as they might first appear, and the researcher admitted that an attacker would need to gain administrative access to exploit this vulnerability. But if they did, then they could “access the memory of all logged-on user processes,” including all those passwords. The proof-of-concept video demonstrates just this scenario. What is perhaps more interesting is that none of the other Chromium-based web browsers tested displayed the same memory-saving issue. “Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory,” Rønning explained in a post on the X platform, which went on to detail how Google’s browser only decrypts credentials as needed. Throw in the fact that Chrome also deploys App‑Bound Encryption as secondary layer of security to bind decryption to an authenticated Chrome process, “preventing other processes from reusing Chrome’s encryption keys,” and you may be thinking it is time to switch from Edge.

I have reached out to Microsoft for a statement, but Rønning said that when he reported the issue, the official response he got back was that the behavior is by design.

Here’s the thing, though, while I am rather astounded that Microsoft Edge would choose to save decrypted passwords in process memory when it clearly doesn’t have to, someone gaining admin-level access to your device is pretty much game over anyway. Whatever browser you are using. Microsoft has already said as much in its Edge password manager security documentation “physically local attacks and malware are outside the threat model and, under these conditions, encrypted data would be vulnerable.”

So, should you switch from using Microsoft Edge to Google Chrome as a result of this saved passwords issue? Truth be told, all browsers are vulnerable to security exploits and Chrome is certainly no exception . I mean, you could switch to Chrome, but I’d suggest that you don’t use a browser for your password manager at all and, instead, use a dedicated password manager , of which there are plenty.