Microsoft has reversed its position on Edge's password handling after initially defending the practice as intentional design. The browser previously decrypted and loaded all saved passwords into process memory as plaintext at startup, keeping them resident for the entire session whether used or not. Security researchers identified this behavior as unique among Chromium-based browsers and significantly easier to exploit than Chrome's approach, which makes extracting saved passwords from memory considerably harder.

Microsoft Edge Security Lead Gareth Evans announced the company now views this as a defense-in-depth issue requiring correction. The previous design meant any attacker with administrative access to a compromised device could harvest all stored credentials by simply reading process memory. While Microsoft initially stated this behavior was by design, the company has now committed to aligning Edge with industry standards and its own secure-by-design messaging.

The technical change modifies when and how Edge decrypts saved passwords. Instead of loading the entire password store into memory at browser launch, Edge will now decrypt credentials only when actively needed for autofill operations or password management tasks. This substantially reduces the window of exposure and the volume of plaintext credentials available in memory at any given time, making bulk credential theft more difficult even when attackers have elevated system privileges.

The update is already available in Edge Canary, the experimental preview channel, and Microsoft has prioritized rollout across all supported channels. Users running build 148 or newer across Stable, Beta, Dev, Canary, and Extended Stable channels will receive the improved password handling. The change brings Edge in line with other Chromium-based browsers rather than representing a novel security advancement.

Security experts recommend users understand that browser password managers prioritize convenience over maximum security. Organizations and individuals should enable multi-factor authentication wherever possible to mitigate risks from password compromise. Users should avoid storing highly sensitive information such as credit card details or medical records in browser password managers, and consider disabling autofill to maintain control over when credentials are entered. While this Edge update improves baseline security, browser-based password storage remains a calculated tradeoff between usability and protection.

Source: https://www.malwarebytes.com/blog/news/2026/05/microsoft-is-changing-edges-plaintext-password-behavior