Microsoft Edge has a password-handling problem that sounds minor until you think like an attacker: every saved password is decrypted and left in cleartext memory for an entire browsing session. Microsoft says that is intentional, but the trade-off is awkward at best, especially for a browser built on the same Chromium codebase that powers Chrome.
The issue was surfaced by security researcher Tom Rønning, who found that Edge loads all stored passwords into memory at startup, even if you never open the sites they belong to. That makes Edge an easier target for malware that hunts for secrets in RAM, which is exactly the sort of thing modern infostealers are built to do. The awkward part is that Edge is the odd one out here: Rønning said other Chromium browsers he tested did not behave this way.
How Microsoft Edge handles saved passwords
Microsoft Edge decrypts saved passwords and keeps them in memory in cleartext throughout the session. Chrome, by contrast, only decrypts credentials when they are actually needed, such as during autofill, and it uses Application-Bound Encryption to make extraction harder. That difference matters because memory is where attackers go when they have already slipped past the easy defenses.
Microsoft told CyberNews the behavior exists so users can sign in quickly, and that exploiting it would require administrative access to the device. That answer is technically tidy and practically incomplete. Security professionals routinely point out that admin-level access is already a serious breach, but they also warn that there is a narrower window before that point where exposed memory can still be harvested.
Why memory exposure still matters
The practical advice from security experts is boring because it is right: stop storing passwords in the browser and use a dedicated password manager instead. Browsers are convenient, and convenience is usually how security gets mugged in a dark alley.
Edge users are not the only people being nudged toward better habits. Google has been pushing Chrome toward more local intelligence and more local storage, which shows how messy the modern browser has become: part security tool, part identity vault, part AI delivery vehicle. Microsoft may argue that its design is optimized for speed, but speed is a thin excuse when credentials sit exposed in memory longer than they need to.
The bigger problem for browser trust
This is less about one bug than about how much trust browsers now carry by default. They are no longer just windows onto the web; they are password stores, payment tools, sync engines, and now AI platforms. The more they do, the more painful their security shortcuts become.
Microsoft is unlikely to reverse course quickly if it believes the current design is intentional and fast. The better question is whether users will keep treating browser password storage as harmless convenience after another reminder that ”saved” does not always mean ”safe”.