Microsoft is changing Edge’s plaintext password behavior

Microsoft said it will change Edge’s password handling as a “defense‑in‑depth” measure.

Originally, Edge decrypted the entire saved‑password store on startup and kept all credentials resident in process memory in clear text for the whole browser session, regardless of whether a given credential was ever used or not.

A short while ago, Microsoft said this plaintext password behavior was by design. Now, Microsoft has changed course, and the new password-handling behavior is already present in Canary (the experimental preview version of Microsoft Edge), with rollout prioritized across all channels.

The researcher who originally flagged the issue said:

“Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.”

Microsoft is changing Edge’s plaintext password behavior

Other newsrooms on this story

Related reading

Microsoft says Edge’s plaintext password behavior is “by design”

Microsoft backpedals: Edge to stop loading passwords into memory

Microsoft Does U-Turn On Edge ‘By Design’ Password Vulnerability

Microsoft Edge: Keine Klartext-Passwörter mehr im Browserprozess

Se le vostre password sono su Microsoft Edge c’è qualcosa che dovreste sapere

Microsoft says its Edge browser feels even faster now