Microsoft Edge found storing your passwords in plaintext RAM for apparently no reason

Security researcher Tom Jøran Sønstebyseter Rønning has revealed that Microsoft Edge stores all saved passwords in plaintext in system memory while the browser is running. This means passwords may be accessible in readable form even if they have not been used during the current session.

Most browsers decrypt saved passwords only when needed and remove them from RAM shortly after use, but Edge reportedly keeps every saved password in clear text for the full runtime. Rønning demonstrated the behavior in a video, showing that saved Edge credentials could be extracted directly from RAM. Microsoft confirmed the behavior as a deliberate design decision, not a software bug, but did not explain the intended user benefit.

Rønning also found that other Chromium based browsers, including Google Chrome, don't appear to handle passwords this way. Since Edge keeps passwords in memory, an attacker with local or administrative access could extract them without opening the password manager. Edge’s authentication prompt doesn't prevent RAM based extraction, so Rønning has now released a proof of concept tool that can be downloaded from GitHub to check how Edge credentials can be dumped in clear text.