Support NeoGAF

winjer · 2026-05-06T18:38:26+0100

Microsoft Edge stores your passwords in plaintext RAM... on purpose

A security researcher showed that Edge passwords are plaintext readable in RAM. Microsoft confirmed the behavior is intentional.

www.pcworld.com

PCWorld reports that Microsoft Edge's password manager stores all user passwords in plaintext RAM, creating a serious security vulnerability that allows local attackers to easily access credentials.

Norwegian security researcher Tom Jøran Sønstebyseter Rønning discovered this flaw, which Microsoft confirms is a deliberate design decision rather than an accidental oversight.

Users should immediately migrate their passwords from Edge to dedicated password managers, as authentication protection offers little defense against RAM access attacks.

Serious flaw in Edge's password manager
The vulnerability affects Microsoft Edge's password manager. Password managers typically use end-to-end encryption and store passwords in cloud storage so that users can access them from anywhere. When passwords are needed, password managers normally decrypt the them for use and then delete them afterwards.

The fact that Edge keeps all passwords loaded without any encryption is both unusual and dangerous. Other password managers, including those that are built into browsers, don't operate in this way—Rønning says Edge is the only Chromium-based browser he's tested with this behavior.

Edge does require authentication to view passwords in the password manager, but this is of little protective value if attackers can simply gain access by reading the RAM, which is what happens here.

This has to be one of Microsoft's biggest fuck ups ever. To be so incompetent as to expose users passwords in plain text, that can be read out of RAM.
And this is another reason why you should never use Microsoft Edge.

AJUMP23 · 2026-05-06T18:58:12+0100

What a terrible development.

ReBurn · 2026-05-06T19:01:46+0100

It doesn't store my passwords in plain text because I don't trust browsers to store my passwords.

IntentionalPun · 2026-05-06T19:03:05+0100

Could be exploited by malware. Needs to be fixed, but this is how pretty much all browsers worked just a few years ago. If you have malware running on your machine with your privileges you are pretty fucked in general, but this is worse as wouldn't even need a keylogger as all passwords are just there in memory.

Dacvak · 2026-05-06T19:07:31+0100

Holy shit that's wild. How could they think that was a good idea?

demigod · 2026-05-06T19:07:39+0100

If you use Edge, you deserve to have your passwords hacked.

Trogdor1123 · 2026-05-06T19:09:37+0100

demigod said:
If you use Edge, you deserve to have your passwords hacked.

I don't know, edge is alright. Better than Chrome that's for sure.

forsakkenSoul · 2026-05-06T19:24:55+0100

I've used Edge before and was honestly kinda surprised, it's really stable and fast, I only stopped using it because my settings kept getting reset almost every week. I've also tried Brave, Vivaldi, and Chrome, they're all fine, but I still prefer good old Firefox.

Fake · 2026-05-06T19:26:07+0100

Vibe coding.

Magic Carpet · 2026-05-06T19:30:13+0100

'Password Manager'

They deserve to be raked over the coals for this bit of news.

Gp1 · 2026-05-06T19:30:26+0100

ReBurn said:
It doesn't store my passwords in plain text because I don't trust browsers to store my passwords.

Store that, Edge

winjer · 2026-05-06T19:56:36+0100

kruis · 2026-05-06T20:27:20+0100

https://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-risk

"An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft.

Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub.

Hmmm ... if you're being attacked by someone with admin privileges on your own PC, it's already game over.

Draugoth · 2026-05-06T20:28:40+0100

LibreWolf and Brave > Everything fucking else

winjer · 2026-05-06T20:30:24+0100

Draugoth said:
LibreWolf and Brave > Everything fucking else

I have heard good things about Helium. Though I haven't tried it.

Donald mac Ronald · 2026-05-06T20:36:49+0100

Microsoft make crappy products.

Tell me one piece of software in 15 years that's actually been better than mediocre

Reizo Ryuu · 2026-05-07T03:32:05+0100

I also store my passwords in plain text on paper

PSYGN · 2026-05-07T04:11:32+0100

Microslop

Ozzie666 · 2026-05-07T04:23:53+0100

Hear you, see your passwords too.

Trillion dollar company? how could anyone think this was a solid secure idea?

Support NeoGAF

Microsoft Edge stores your passwords in plaintext

Gold Member

Serious flaw in Edge's password manager

Parody of actual AJUMP23

Gold Member

Ask me about my wife's perfect butthole

No one shall be brought before our LORD David Bowie without the true and secret knowledge of the Photoshop. For in that time, so shall He appear.

Member

Member

Member

Member

Gold Member

Member

Gold Member

Exposing the sinister cartel of retailers who allow companies to pay for advertising space.

Gold Member

Gold Member

Member

Member

Member

Member

Similar threads