Advertising Disclosure: Some links on this site are affiliate links. We may earn a commission when you make a purchase — at no extra cost to you. read our methodology

Microsoft Edge Plaintext Passwords in Memory 2026: What Users Should Do Now

Microsoft Edge loads all saved passwords into memory in plaintext at startup, and Microsoft says this is by design. Here is what it means and what to switch to.

By

Published · Updated

Hot radar note: On May 4, 2026, security researcher Tom Jøran Sønstebyseter Rønning disclosed that Microsoft Edge decrypts every saved password into plaintext memory at browser startup. Microsoft confirmed the behavior is "by design." Omellody classifies this as an S-level hot-radar item for password-manager users because it changes the safety assumptions behind browser-stored credentials.

What Microsoft confirmed and why it matters

Independent outlets including Cybernews, Windows Central, PCWorld, Malwarebytes, Forbes and the Windows Forum community reported in early May 2026 that Microsoft Edge loads every saved password into process memory, decrypted and in plaintext, during browser startup. They remain in cleartext throughout the session. Microsoft confirmed to multiple reporters that the behavior is intentional and said it does not view the design as a vulnerability, because an attacker would already need local access to read browser process memory.

Technically Microsoft is correct that local code execution or process-memory read access is a prerequisite. Practically, this is exactly the capability that credential-stealing malware, infostealers like Lumma, RedLine, Vidar, or newer AI-augmented variants try to obtain on consumer Windows machines every day. A browser that keeps the whole vault decrypted in RAM gives those families a much easier target than a password manager that derives a per-entry key from a master password only when the user needs a single credential.

The disclosure is a design question more than a zero-day. There is no patch to install and no CVE to chase. The defensive move is to change how you store passwords, not to wait for a fix that, according to Microsoft, is not coming.

What is actually at risk

Anything saved in Edge under the built-in password manager falls under this model, including work email, personal email, streaming accounts, online banking, school portals, shopping accounts, and social media. Autofill sites that Edge had prompted you to save are the highest-value targets because attackers know they often include login fields tied to financial or identity accounts.

Passkeys, hardware security keys, platform biometrics, and Windows Hello are not affected in the same way because they do not involve a plaintext password at all. If you already moved critical accounts to passkeys, keep going. If you still rely on Edge to remember legacy passwords, assume an infostealer infection would harvest all of them in one pass.

Synced accounts raise the exposure further. If you use a Microsoft account to sync passwords across Edge on multiple devices, a compromise of any one of those endpoints exposes the same vault everywhere.

Immediate checklist for Edge users

The fastest way to reduce exposure is to stop trusting Edge as the default vault. These steps take about 30 minutes for a personal account and can be staged over a week for a household.

  • Install a dedicated password manager and import your Edge vault.
  • Turn off password saving in Edge settings and clear saved passwords after export.
  • Enable multi-factor authentication on email, banking, cloud storage, and shopping accounts first.
  • Move high-value accounts to passkeys when the service supports them.
  • Run a reputable antivirus scan on every Windows device that had Edge password saving enabled.
  • Rotate passwords for the accounts you care about most, starting with primary email and banking.

For anyone still using the same password on multiple sites, the breach model here is brutal. One infostealer infection with Edge exposure can chain directly into email takeover, password reset for everything else, and follow-on account fraud. Unique, strong passwords per site, stored in a dedicated manager, cut that chain.

How this compares to Chrome and Firefox

Chrome decrypts individual passwords on demand rather than bulk-decrypting the entire store into memory at startup. That reduces the attack window for malware scraping process memory, although Chrome is still not equivalent to a dedicated password manager. Firefox uses an encrypted storage model and, with a master password enabled, keeps passwords encrypted in memory until needed.

None of the browser-native tools match dedicated managers on security architecture. Dedicated managers derive the vault key from a master password and modern key derivation functions, keep the vault encrypted on disk, and release individual entries only after user action. Leading managers also offer breach monitoring, sharing controls, passkey sync, and recovery workflows that browsers do not.

If you only care about convenience and are willing to rotate passwords more often, Chrome is an upgrade over Edge for this specific memory behavior. If you want real protection, switch to a dedicated manager.

What businesses and IT teams should do

For organizations that deploy Edge through Intune or Group Policy, the safest posture is to disable the built-in password manager and enforce an enterprise password manager instead. Combine that with endpoint detection and response that watches for known infostealer families, USB autorun controls, Mark-of-the-Web enforcement, and phishing-resistant MFA.

  • Disable "Offer to save passwords" via Edge policy.
  • Deploy a managed password manager such as 1Password Business, Keeper, or Bitwarden Enterprise.
  • Require phishing-resistant MFA, ideally passkeys or FIDO2 keys, for admin and finance accounts.
  • Audit existing Edge-saved credentials through help-desk-assisted exports, then force rotation.
  • Monitor EDR telemetry for Lumma, RedLine, Vidar, Atomic, and similar infostealer behavior.
  • Block risky browser extensions that can read clipboard or page content without review.

For regulated environments, the presence of plaintext credentials in process memory may trigger compliance questions that are hard to answer with "Microsoft calls it by design." Document the control gap and the compensating controls you chose.

Best alternatives to Edge's built-in password manager

1Password 4.8/5

Best for: users replacing Edge with a full-featured vault across devices · Price: From $2.99/month billed annually

Pros
  • Strong vault security and Watchtower breach alerts
  • Excellent passkey and family sharing support
  • Travel Mode and Secrets Automation for power users
Cons
  • No permanent free tier
  • Migration from Edge requires one-time export and cleanup

Read our guide

Bitwarden 4.7/5

Best for: users who want a strong free plan and open-source code · Price: Free tier, Premium from $10/year

Pros
  • Open-source client with regular audits
  • Generous free plan covers unlimited devices
  • Self-hosting option for advanced users
Cons
  • Interface is more technical than 1Password
  • Some polish trails paid competitors

Read our guide

Dashlane 4.6/5

Best for: families that want dark web monitoring and a built-in VPN · Price: Premium from $4.99/month billed annually

Pros
  • Dark web monitoring across family plans
  • Built-in VPN for public Wi-Fi protection
  • Friendly onboarding and autofill
Cons
  • Higher price than Bitwarden
  • Free plan is device-limited

Read our guide

Keeper 4.6/5

Best for: IT teams and small businesses replacing browser vaults at scale · Price: From about $2.92/user/month billed annually

Pros
  • Strong role-based access and secure sharing
  • BreachWatch highlights exposed credentials
  • Robust admin controls and reporting
Cons
  • Best features are add-ons
  • Consumer UX less friendly than 1Password

Read our guide

NordPass 4.5/5

Best for: NordVPN and Nord Security ecosystem users · Price: From $1.49/month on long-term plans

Pros
  • Modern XChaCha20 encryption
  • Clean UI with fast autofill
  • Good bundle pricing with NordVPN
Cons
  • Free plan limits device sessions
  • Advanced sharing is premium-only

Read our guide

Comparison table

ProductRatingBest forPriceKey strengths
1Password4.8/5full-featured vault across devicesFrom $2.99/month billed annuallyWatchtower, passkey support, Travel Mode
Bitwarden4.7/5strong free plan and open sourceFree tier, Premium from $10/yearOpen source, unlimited device sync, self-host
Dashlane4.6/5families wanting dark web monitoring and VPNPremium from $4.99/monthDark web monitoring, VPN, autofill
Keeper4.6/5IT teams replacing browser vaultsFrom about $2.92/user/monthRole-based access, BreachWatch, admin controls
NordPass4.5/5Nord ecosystem usersFrom $1.49/month on long-term plansXChaCha20 encryption, clean UI, NordVPN bundle

What to watch next

Microsoft is unlikely to change the underlying design in the short term because the company has framed it as expected behavior rather than a defect. Expect follow-up research on exactly which process regions hold the decrypted material, whether enterprise configurations change the pattern, and whether Edge's profile sync widens the blast radius across devices. Infostealer operators will also update their tools to target this specific data layout, so endpoint detection vendors will publish new rules in the coming weeks.

If you maintain an allow-list of approved browsers for employees or family members, reconsider whether Edge's built-in password manager should remain an approved credential store. Even if you keep Edge as the browser, moving the vault elsewhere is the cleaner fix.

Frequently asked questions

Did Microsoft confirm Edge stores passwords in plaintext in memory?

Yes. After security researcher Tom Jøran Sønstebyseter Rønning disclosed the behavior on May 4, 2026, Microsoft responded that Edge decrypts and loads saved passwords into process memory at startup by design, and said it does not consider the behavior a vulnerability.

Does this mean my Edge passwords are already leaked?

No. The risk only becomes real when an attacker or malware can read Edge process memory on your device. If your device is clean and protected, the passwords are not exposed to the wider internet. But credential-stealing malware can exploit this behavior much more easily than a typical encrypted vault.

Is Chrome safer for stored passwords?

Chrome decrypts individual passwords on demand rather than dumping the full vault into memory at startup, which is the core difference researchers highlighted. Neither browser-based password tool matches a dedicated password manager with a zero-knowledge master password and device binding.

Should I move my passwords to a dedicated password manager?

If you store important credentials in Edge, yes. A dedicated password manager uses a master password that is not decrypted at browser startup and protects the vault with additional hardware and device-level safeguards.

What should businesses running Edge do?

Businesses should disable browser-level password saving through group policy, enforce a managed password manager, deploy endpoint protection that detects credential-stealing malware, and require MFA on all accounts that the browser previously stored.

Bottom line

Microsoft Edge's plaintext password behavior is not a panic moment, but it is a signal. Browsers are convenient but they are not built primarily to be vaults. If you keep email, banking, school, or work accounts saved in Edge, move them to a dedicated password manager, turn on MFA, and run an antivirus scan to clear any infostealer already on the device. The core lesson from this hot-radar item is simple: pick the right tool for the job, and keep the single most reused login out of the browser's decrypted memory.