The Discovery That Sparked a Policy Change
On May 4, security researcher Tom Jøran Sønstebyseter Rønning published findings that caught the attention of the browser security community. He demonstrated that Microsoft Edge loads every password stored in its built-in password manager into process memory in plain text at startup. This happens even when the user never visits a login page or opens the password management interface. The credentials sit in memory, decrypted and accessible, for the entire browsing session.
Rønning did more than just observe this behavior. He created a proof-of-concept tool that could extract those passwords from memory. With Administrator privileges, an attacker could dump passwords from other users’ Edge processes on the same machine. Without admin rights, the tool could still access passwords from Edge processes launched by the same user. This raised serious questions about how Microsoft treats credential security in its browser.
The researcher reported the issue to Microsoft before going public. The company’s initial response was blunt. They told Rønning the behavior was “by design” and told BleepingComputer it was an expected feature of the application. For a moment, it seemed Microsoft would leave the edge password memory exposure unchanged.
Why Microsoft Initially Called It ‘By Design’
To understand Microsoft’s first reaction, you need to look at their threat model. The company argued that the scenario Rønning described falls outside the boundaries of what they consider a security vulnerability. If an attacker already has Administrator-level access to a device, that attacker can do many harmful things. Reading process memory is just one capability among many.
Microsoft’s position was straightforward. The edge password memory design assumed that administrative control means the system is already compromised. In that context, a password leak from memory is one symptom of a larger problem. The company viewed the issue as low priority because the attack requires elevated privileges to exploit fully.
But security researchers and users pushed back. The argument that “already compromised” justifies leaving passwords exposed in memory feels incomplete. Attackers often move laterally within networks. Gaining Administrator access on one machine may be a stepping stone, not the final goal. If that machine holds cached credentials from other users, the attacker’s reach expands dramatically. The edge password memory behavior made that expansion easier than it needed to be.
What the Edge Password Memory Flaw Actually Means
Let’s break this down in plain language. When you save a password in Edge’s built-in manager, the browser encrypts it and stores it on disk. That’s normal and generally safe. The problem is what happens next. Every time you launch Edge, the browser decrypts every saved password and loads them all into active memory. They stay there, readable, until you close the browser entirely.
Imagine walking into a library and placing every book you own on a table, open to the first page, before you sit down to read one. That’s what Edge was doing with your passwords. It unlocked everything upfront, even though you only needed access to one credential at a time.
This matters because process memory is not as private as people think. A determined attacker with the right tools can scan running processes and pull out strings of text. Passwords sitting in memory are an easy target. The proof-of-concept tool from Rønning showed exactly how straightforward this extraction can be. The edge password memory design turned the browser into a repository of easily accessible credentials.
How Chrome Handles Password Memory Differently
Rønning tested other Chromium-based browsers to see if they shared Edge’s behavior. Chrome, the most popular Chromium browser, uses a fundamentally different approach. Chrome does not load saved passwords into memory at startup. It decrypts credentials on demand, only when the user visits a site with a saved login or opens the password management interface.
“Edge is the only Chromium-based browser I’ve tested that behaves this way,” Rønning said. “By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.”
This comparison is significant. Both browsers share the same underlying engine. The difference comes down to design choices at the application layer. Microsoft chose to pre-load all credentials. Google chose to load them lazily, on demand. The edge password memory issue was not a Chromium problem. It was a Microsoft decision that the company is now reversing.
Microsoft’s Roadmap for the Edge Password Memory Fix
On Wednesday, Microsoft announced a change in direction. Future versions of Edge will no longer load saved passwords into memory on startup. The fix is already live in the Edge Canary channel, which is the earliest testing stage. It will be included in build 148 and newer across all supported Edge releases.
Gareth Evans, Microsoft Edge Security Lead, explained the company’s reasoning. “This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we’re prioritizing the rollout.”
Evans acknowledged the shift in perspective. “With our commitment to the Secure Future Initiative and customer feedback, we are taking a broader view. That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction.”
The company emphasizes that this is a defense-in-depth improvement, not an admission that the previous design was a vulnerability. The threat model has not changed. What has changed is Microsoft’s willingness to go beyond the minimal requirements and reduce risk where possible.
What This Means for Everyday Edge Users
If you use Edge’s built-in password manager, this update is good news. Once the fix reaches your version of Edge, your saved passwords will no longer sit exposed in memory from the moment you launch the browser. An attacker would need to trigger a login or interact with the password manager to trigger decryption. That narrows the window of exposure significantly.
But there are important caveats. The fix applies to startup behavior. If you visit a site and Edge autofills your credentials, those passwords will still be in memory during that active session. The change reduces the baseline exposure but does not eliminate it entirely. Passwords remain vulnerable during active use, which is true for all password managers, including third-party tools.
For IT administrators managing Edge in enterprise environments, the update reduces one attack vector. Employees who share workstations or use domain-joined machines will be better protected against local credential theft. However, the threat from attackers with Administrator privileges remains real. The edge password memory fix is one layer of a larger security strategy, not a complete solution.
Understanding the Threat Model Behind Edge’s Decision
Microsoft’s threat model assumes that an attacker with Administrator access can already do significant damage. That assumption is not wrong. Admin rights allow an attacker to install drivers, disable security tools, tamper with system files, and exfiltrate data through many channels. Reading browser memory is just one option among many.
But security is rarely binary. The question is not whether an Administrator can cause harm. The question is how much friction the system adds to each step of an attack. A design that loads all passwords into memory at startup reduces friction. An attacker can extract every credential immediately without triggering any visible activity. A design that loads passwords on demand adds friction. The attacker must interact with the browser or wait for the user to trigger a login before credentials become available.
This friction matters in real-world attacks. Consider a scenario where an attacker gains Administrator access on a shared office workstation. With the old Edge behavior, they could dump every saved password in seconds and move on to the next target. With the new behavior, they would need to monitor the system, wait for user activity, or take additional steps that increase the chance of detection. The edge password memory change shifts the balance, even if only slightly.
Security researchers have long argued that browser password managers should minimize the time credentials spend in memory. Edge was an outlier in the Chromium ecosystem by not doing so. Microsoft’s shift from “by design” to “defense-in-depth” signals a recognition that user expectations and industry standards matter beyond the strict threat model.
Steps You Can Take Right Now to Protect Your Credentials
The Edge password memory fix is rolling out, but it may take weeks or months to reach every version. In the meantime, you can take practical steps to reduce your exposure.
First, consider whether you need Edge’s built-in password manager at all. Dedicated password managers like Bitwarden, 1Password, and KeePass offer stronger memory protection as part of their design. These tools load credentials on demand and clear them from memory after use. They also provide cross-platform support, advanced sharing features, and audited encryption. If the edge password memory issue makes you uncomfortable, switching to a dedicated tool removes that concern entirely.
Second, check which version of Edge you are running. Open edge://settings/help to see your build number. Build 148 or newer on the Canary channel includes the fix. Stable channel users will need to wait for the update to propagate. Microsoft has not announced a specific date for the stable release, but the company says it is prioritizing the rollout.
Third, enable additional security features in Windows. Microsoft Defender Credential Guard uses virtualization-based security to protect secrets in memory. This feature is available in Windows Enterprise and Education editions. It does not directly affect browser memory, but it raises the bar for credential theft overall.
Fourth, practice good password hygiene even with the fix. Do not reuse passwords across sites. Enable two-factor authentication wherever possible. The edge password memory update reduces one risk, but credential theft happens through many channels. Phishing, keylogging, and database breaches remain common threats that a browser fix cannot address.
Fifth, if you share a computer with others, consider creating separate Windows user accounts. The proof-of-concept tool requires Administrator privileges to dump passwords from other users’ Edge processes. On a shared machine with standard user accounts, one user cannot easily access another user’s Edge memory without escalated privileges. This separation adds a layer of protection beyond what the browser provides.
The Bigger Picture: Defense-in-Depth and Browser Security
Microsoft’s reversal on the edge password memory issue is part of a larger trend. Browser vendors are under increasing pressure to harden their products against credential theft. Last year, Microsoft introduced a new security feature to protect Edge users against malicious extensions sideloaded into the browser. The company also restricted access to Edge’s Internet Explorer mode after hackers began exploiting zero-day vulnerabilities in the Chakra JavaScript engine.
You may also enjoy reading: Enroll in an Online Ultrasound Tech School: Guide for Sonographers.
These updates reflect a broader shift toward defense-in-depth thinking. No single security control is perfect. The goal is to layer multiple controls so that an attacker must overcome several barriers to succeed. The edge password memory change adds one more layer. It does not make Edge invulnerable. It does make a specific attack path harder to execute.
Other browser vendors face similar scrutiny. Chrome, Firefox, and Safari all store credentials and process them in memory. Each handles the lifecycle of those credentials differently. Researchers continue to find ways to extract credentials from memory in all browsers. The attack surface is not going away. But the willingness of vendors to fix issues that fall outside their strict threat models represents progress.
The controversy also highlights the tension between convenience and security. Loading passwords into memory at startup makes autofill instant. The user never waits for decryption. The trade-off is exposure. Microsoft chose instant convenience. Users and researchers pushed back, and Microsoft adjusted. That cycle is healthy. It forces vendors to justify their design choices and adapt when those choices no longer align with user expectations.
How to Verify Your Edge Version Has the Fix
Checking your Edge build is straightforward. Open the browser and type edge://settings/help into the address bar. Press Enter. The page will display your current version and build number. If you are running build 148 or newer on any channel, the edge password memory change is active. The Canary channel updates daily and already includes the fix. The Dev channel follows shortly after. Beta and Stable channels receive updates on a slower cadence.
If you want the fix immediately, you can switch to the Edge Canary channel. Canary runs alongside your stable installation, so you can use both simultaneously. Keep in mind that Canary is a testing build. It may contain bugs or incomplete features. For day-to-day use, wait for the stable release.
Enterprise administrators managing Edge through Group Policy or Intune should monitor the Edge release notes for the build 148 milestone. The Extended Stable channel, which enterprise customers typically use, will receive the update on a delayed schedule. Microsoft has not specified the exact timeline for each channel, but the company says all supported versions will receive the fix.
What the Security Community Says About the Change
Reaction from security researchers has been measured but positive. Rønning, who discovered and reported the issue, acknowledged Microsoft’s response. The company could have maintained its original position. Instead, it chose to make a change that reduces risk for millions of users. That decision deserves recognition.
Some researchers note that the fix does not address the broader problem of passwords in memory during active use. An attacker who monitors process memory at the right moment can still capture credentials. But reducing the window of exposure from the entire session to only moments of active use is a meaningful improvement. It forces attackers to time their actions more precisely and increases the chance that their activity is detected.
Others have questioned why Microsoft needed public disclosure to make the change. The behavior was present for years. Internal security reviews should have identified the edge password memory concern. The company’s initial response suggested that the behavior was intentional and acceptable. It took external pressure to trigger a reassessment. This dynamic is not unique to Microsoft. Many security improvements in software happen only after public disclosure or active exploitation.
A Practical Perspective for Home Users
If you are a home user who is not deeply technical, you might wonder what to do right now. The honest answer is that you do not need to panic. The edge password memory vulnerability requires an attacker to already have access to your device. That is a high bar. Most credential theft happens through phishing, data breaches, or malware that logs keystrokes. The memory exposure issue is real, but it is not the most likely threat you face.
That said, there are simple steps you can take. Update Edge regularly. Windows Update delivers Edge updates automatically on most systems. Make sure your device is set to receive updates. Use a dedicated password manager if you want stronger memory protection. Enable two-factor authentication on accounts that support it. These steps protect you against a broad range of threats, not just the memory issue.
If you share a computer with family members, ensure each person has their own Windows user account. Standard user accounts cannot read other users’ process memory without escalation. This separation provides meaningful protection against casual credential theft within a household.
Enterprise Considerations for IT Administrators
For enterprise IT teams, the edge password memory fix is a positive development, but it should not change your broader credential security strategy. Enterprise environments face sophisticated threats that go beyond local memory extraction. Attackers target Active Directory, cloud applications, and federation services. Password memory exposure on individual browsers is one piece of a much larger puzzle.
If your organization currently allows Edge’s built-in password manager, consider whether dedicated enterprise password management tools offer better control. Solutions like Azure AD Password Protection, Windows Hello for Business, and third-party password managers provide centralized management, auditing, and policy enforcement. These tools also handle memory protection more rigorously than built-in browser managers.
The Edge update also serves as a reminder to review your security baselines. When Microsoft releases build 148 to the Extended Stable channel, test it in your environment before wide deployment. Validate that the change does not break any internal applications that rely on Edge’s autofill behavior. The fix should be transparent to users, but testing is always prudent.
Looking Ahead: What’s Next for Browser Password Security
The edge password memory change is one step in an ongoing evolution. Browser vendors continue to explore ways to protect credentials without sacrificing usability. Platform-level features like hardware-backed credential storage and biometric authentication reduce the reliance on process memory. Windows Hello and Apple’s Keychain use secure enclaves that keep secrets isolated from the main operating system. Edge already supports Windows Hello for password autofill on compatible devices.
As these technologies mature, the role of traditional password managers may shift. The boundary between operating system security and browser security is blurring. Future browsers may rely entirely on platform-level credential stores that never expose passwords to browser memory. For now, the edge password memory fix is a practical improvement that reduces risk without requiring architectural changes.
The incident also shows the value of responsible disclosure. Rønning gave Microsoft time to respond before going public. When the company declined to act, he published his findings. That disclosure led to a reversal and a fix. The process worked as designed. Users benefit from the scrutiny, and vendors benefit from feedback that helps them see beyond their own threat models.
If you follow browser security news, expect similar stories in the future. Researchers will continue to probe how browsers handle credentials. Vendors will continue to balance convenience against protection. The edge password memory case sets a precedent that public disclosure can drive change, even when a vendor initially defends its design as intentional.
For now, the fix is on the way. Edge users who update to the latest builds will get stronger protection against credential theft from process memory. The change is not a silver bullet, but it is a meaningful improvement. And it shows that Microsoft is listening to the security community, even when the answers are not comfortable.
