Is Microsoft Edge really loading all my passwords in plaintext?

Yes. When Edge starts, every saved credential is decrypted and kept in process memory. Google Chrome decrypts on demand. Microsoft told researchers the behavior is intentional and will not be changed.

Can malware or another user steal those passwords?

A local attacker or malware with access to the Edge process memory can dump credentials. Admin rights or Windows SYSTEM access make it trivial. Remote exploitation still requires a foothold, but many infostealers already support browser memory scraping.

Does a dedicated password manager fix this?

Yes. 1Password, Bitwarden, NordPass, Dashlane, and Keeper keep vaults encrypted, unlock only when needed, re-lock automatically, and isolate credentials from the browser process.

Should I delete passwords from Edge right now?

Export, import into a dedicated manager, then clear Edge saved passwords. Turn off Edge password sync. Reboot to flush memory. Rotate any high-value credentials you kept in Edge for years.

Does this affect Chrome and Firefox too?

Chrome keeps passwords encrypted at rest and only decrypts the one you autofill. Firefox stores credentials encrypted with a primary password if you set one. Neither matches Edge's load-everything approach.

Microsoft Edge Loads Every Password in Plaintext Memory. Microsoft Says 'By Design'

By Sarah Chen · Updated May 10, 2026

The 30-second summary

Security researcher Davey Winder reported (Forbes, May 6 2026) that Microsoft Edge decrypts every saved password into process memory the moment the browser launches.
Google Chrome, by contrast, decrypts one credential at a time only when the user autofills.
Microsoft's response: the behavior is "by design" and will not be patched.
Any infostealer or local attacker that can read Edge memory can lift the entire vault. Windows infostealers already target browser processes.
A dedicated password manager (1Password, Bitwarden, NordPass, Dashlane, Keeper) isolates credentials from the browser and re-locks on idle.

What exactly did Microsoft admit?

When Edge starts, the browser reads the user's saved credentials from its encrypted store, unwraps each one with the Windows Data Protection API, and keeps the cleartext versions in memory for the lifetime of the process. That means a 400-credential vault is sitting decrypted in RAM from the second you open a browser window until you fully close Edge and all its helper processes.

Google Chrome takes a different path. Chrome leaves credentials encrypted in its Login Data SQLite store and only decrypts the single credential you are about to autofill. Firefox, when a primary password is set, behaves similarly and locks the whole store when you walk away.

The researcher who flagged the issue filed it through Microsoft's MSRC intake. Microsoft closed the case with the note that Edge's memory handling is intentional and not considered a vulnerability under its servicing criteria. In plain English: Microsoft is not going to change it.

Why this matters more than a normal "local attacker only" bug

Security teams used to shrug off local-only issues. That era is over. In 2026, commodity infostealers (Lumma, RedLine, StealC, Vidar, plus the fresh Silver Fox ABCDoor campaign we covered here) explicitly target browser memory. A single malicious NPM package, a trojanized game mod, or a poisoned search ad is enough to land a scraper on a consumer PC.

Once the scraper has any user-level foothold, it can attach to the Edge process, dump memory, and walk away with every banking login, every work SSO cookie, and every personal email password in seconds. The attacker does not need admin, does not need to crack DPAPI, and does not need the victim to autofill anything.

The fix: move your passwords out of the browser

A dedicated password manager solves this by keeping the vault encrypted at rest and by unlocking only the single record you are viewing. When you lock the app (or after an idle timer), keys are zeroed from memory. These are the five managers we test and recommend for Edge users migrating today.

1. 1Password

Rating: 9.6/10 · From $2.99/mo

The cleanest option for Windows users leaving Edge. Secret Key plus master password, Watchtower breach alerts, and a memory-hardened desktop app that re-locks on idle. Travel Mode is a bonus for crossing borders.

Pros: Best UX in the category, passkey-first, strong family sharing.
Cons: No free tier, subscription only.

2. Bitwarden

Rating: 9.4/10 · Free or $10/yr Premium

Open-source, audited, and the only serious free tier left. The native desktop client locks by default after five minutes idle and does not keep decrypted entries pinned in memory.

Pros: Transparent code, self-host option, cheapest paid tier.
Cons: UI is less polished than 1Password.

3. NordPass

Rating: 9.2/10 · From $1.79/mo

XChaCha20 encryption, a clean Windows 11 installer, and the same zero-trust architecture as the rest of the Nord suite. Bundles well if you already run NordVPN.

Pros: Very fast autofill, good breach monitor.
Cons: Free tier limits to one device.

4. Dashlane

Rating: 9.0/10 · From $3.33/mo

Dashlane moved to a web-first architecture that keeps the decrypted vault out of persistent memory. Built-in VPN and dark-web monitoring included.

Pros: Polished family plan, solid password health scoring.
Cons: More expensive than Bitwarden or NordPass.

5. Keeper

Rating: 8.9/10 · From $2.92/mo

Keeper's desktop client enforces auto-lock on focus-loss by default, which is exactly the behavior Edge is missing. Strong choice for SMB and regulated industries.

Pros: FedRAMP authorized, strict memory hygiene.
Cons: Extra charge for dark-web add-on.

How the five options compare

Manager	Memory hygiene	Starting price	Free tier	Best for
1Password	Zeros on lock	$2.99/mo	14-day trial	Windows + Mac households
Bitwarden	Auto-lock 5 min	Free / $10/yr	Unlimited	Budget + open-source fans
NordPass	XChaCha20 + idle lock	$1.79/mo	1 device	Nord bundle users
Dashlane	Web-first, no persistent plaintext	$3.33/mo	Trial only	Families with VPN needs
Keeper	Focus-loss lock	$2.92/mo	30-day trial	SMB / regulated industries

Migration playbook: out of Edge in 10 minutes

Export from Edge: Settings → Profiles → Passwords → More actions (···) → Export passwords. Save to a folder you control.
Import: Open your new password manager's import wizard (1Password, Bitwarden, and NordPass all accept the Edge CSV directly).
Verify count: Confirm the number of imported entries matches the CSV row count.
Delete the CSV securely: Use cipher /w:C:\path on Windows or equivalent to overwrite.
Clear Edge: Settings → Profiles → Passwords → Saved passwords → Delete all. Turn off password sync.
Disable Edge's "Offer to save passwords" to prevent accidental re-population.
Reboot so any plaintext residue in the Edge process is flushed.
Rotate high-value logins (email, banking, work SSO). Assume anything that sat in Edge for years may already be in a stealer log.

Frequently asked questions

Is this the same as the LastPass 2022 incident?

No. LastPass lost encrypted vault backups from a cloud breach. The Edge issue is about credentials sitting in RAM on your own machine. Different threat model, same mitigation: stop storing real secrets in a browser.

What about Microsoft Authenticator's autofill?

Microsoft Authenticator syncs from the same Edge store. Moving to a dedicated manager and disabling Edge password sync breaks that chain.

Does Windows Hello help?

Windows Hello gates access to the vault, but once Edge is unlocked the decrypted memory is still readable by same-user processes. Hello is not a workaround here.

I am an IT admin. Can I force Edge to stop doing this?

No Group Policy disables the behavior as of May 2026. The supported path is to disable Edge password manager entirely (PasswordManagerEnabled = Disabled) and deploy a supported enterprise password manager.

Is switching to Chrome enough?

Chrome's model is better but still not ideal. A standalone password manager remains the cleanest answer, especially on shared or BYOD machines.