• Hey Guest. Check out your NeoGAF Wrapped 2025 results here!

Microsoft Edge stores your passwords in plaintext

winjer

winjer

Gold Member
www.pcworld.com

Microsoft Edge stores your passwords in plaintext RAM... on purpose

A security researcher showed that Edge passwords are plaintext readable in RAM. Microsoft confirmed the behavior is intentional.
www.pcworld.com www.pcworld.com

  • PCWorld reports that Microsoft Edge's password manager stores all user passwords in plaintext RAM, creating a serious security vulnerability that allows local attackers to easily access credentials.
  • Norwegian security researcher Tom Jøran Sønstebyseter Rønning discovered this flaw, which Microsoft confirms is a deliberate design decision rather than an accidental oversight.
  • Users should immediately migrate their passwords from Edge to dedicated password managers, as authentication protection offers little defense against RAM access attacks.
Click to expand...

Serious flaw in Edge's password manager

The vulnerability affects Microsoft Edge's password manager. Password managers typically use end-to-end encryption and store passwords in cloud storage so that users can access them from anywhere. When passwords are needed, password managers normally decrypt the them for use and then delete them afterwards.

The fact that Edge keeps all passwords loaded without any encryption is both unusual and dangerous. Other password managers, including those that are built into browsers, don't operate in this way—Rønning says Edge is the only Chromium-based browser he's tested with this behavior.

Edge does require authentication to view passwords in the password manager, but this is of little protective value if attackers can simply gain access by reading the RAM, which is what happens here.
Click to expand...



This has to be one of Microsoft's biggest fuck ups ever. To be so incompetent as to expose users passwords in plain text, that can be read out of RAM.
And this is another reason why you should never use Microsoft Edge.

Frustrated World Cup GIF
 
Could be exploited by malware. Needs to be fixed, but this is how pretty much all browsers worked just a few years ago. If you have malware running on your machine with your privileges you are pretty fucked in general, but this is worse as wouldn't even need a keylogger as all passwords are just there in memory.
 
Last edited:
Holy shit that's wild. How could they think that was a good idea?
 
I've used Edge before and was honestly kinda surprised, it's really stable and fast, I only stopped using it because my settings kept getting reset almost every week. I've also tried Brave, Vivaldi, and Chrome, they're all fine, but I still prefer good old Firefox.
 

"An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they're not in use, because the browser stores them in cleartext in process memory as part of a design decision by Microsoft.

Security researcher Tom Jøran Sønstebyseter Rønning revealed the issue and how it can be exploited in a proof-of-concept (PoC) tool at Palo Alto Networks Norway's BIG Bite of Tech conference last week. He subsequently posted resources for the PoC and tool on GitHub.
Click to expand...

Hmmm ... if you're being attacked by someone with admin privileges on your own PC, it's already game over.
 
Thank fuck, finally a company that knows the value of just having an easily accessible list of my passwords so I dont forget them. No need for those 20 post it notes on my wall now
 
forsakkenSoul said:
I've used Edge before and was honestly kinda surprised, it's really stable and fast, I only stopped using it because my settings kept getting reset almost every week. I've also tried Brave, Vivaldi, and Chrome, they're all fine, but I still prefer good old Firefox.
Click to expand...
I gave up on Edge a few weeks ago for the same reason. It reset a bunch of stuff.. I got developer mode back in place, setup TamperMonkey again, knocked out all the weird little permission things I needed to and then a few days later it was reset again. Gave up right then and there.
kruis said:
Hmmm ... if you're being attacked by someone with admin privileges on your own PC, it's already game over.
Click to expand...
I think in Windows the way it's supposed to work for passwords like this is that they're encrypted on disk via account specific keys, so just being 'admin' isn't quite enough to get them in that case as you need to be logged in as the correct account regardless. But you could probably just change the target account's password and then log in yourself to extract passwords from disk. Can't say I've ever tried it.

Clearing the password in memory immediately after loading and subsequently using it is a pretty obvious thing... especially for a 'password manager'... But in my experience most developers don't understand security even a little. I imagine lots of programs keep passwords floating around in memory all day. And that's actually kind of low on the totem pole of constant idiotic security fuck-ups.
 
HoodWinked said:
if a hacker can read your memory you're already fucked.
Click to expand...

True, but with a good browser, the hacker can only get one password at a time and only when you login into a site, as it's decrypted.
With Edge, the hacker gets everything in an instant. So a bad situation, becomes a complete disaster.
 
winjer said:
True, but with a good browser, the hacker can only get one password at a time and only when you login into a site, as it's decrypted.
With Edge, the hacker gets everything in an instant. So a bad situation, becomes a complete disaster.
Click to expand...
www.qubes-os.org

Qubes OS: A reasonably secure operating system

Qubes is a security-oriented, free and open-source operating system for personal computers that allows you to securely compartmentalize your digital life.
www.qubes-os.org www.qubes-os.org

Best OS for security. Yes, nothing is hack proof, but this makes it hard.
 
This is fucking baffling. Over the years, the AMOUNT of websites that have been exposed for saving passwords in plain text, the amount of hacks, data loss, etc, and Microsoft still does this? I'm actually stunned.
 
diffusionx said:
Right better to use Chrome where they just deliver a LLM AI model to your computer without your consent.

The tech industry is facing a massive competency crisis no one wants to talk about.
Click to expand...

So many alternatives besides Chrome and Edge. Most of them are much better.
Brave, Librewolf, Firefox, Mullvad, Vivaldi, Helium, etc.
 
Of course it was intentional. The company now controlled by indian scammers would like to make their job as easy as possible
 
Saving your password on a browser has been a dumb thing to do since the day browsers were invented. They even teach you at every single major company not to store your passwords anywhere.
 
I feel like the title should say "... in plaintext in memory" since it's not quite as bad as keeping them on disk unencrypted. Still a security gap, but not at the same level as the title implies.
 
The Cockatrice said:
Saving your password on a browser has been a dumb thing to do since the day browsers were invented. They even teach you at every single major company not to store your passwords anywhere.
Click to expand...
It's impossible for people to remember 400 different 15-character passwords made of random strings of letters, cases, numbers, and special characters.
 
MS is such a dogshit bottom of the barrel Indian tech company now. I got my win11 gaming PC completely quarantined to only use games and use Linux/Mac for everything else.
 
You must log in or register to reply here.

Similar threads

  • Poll
Winget is one of the few good things Microsoft has made in the past decade
Opinion 
5
214
ShadowNate replied
Original trilogy characters are coming to Star Wars: Galaxy’s Edge
10
336
Fbh replied
Microsoft renames Office 365 overnight to ‘365 Copilot’ in its AI Push
2 3
101
1K
LarsQMorient replied
Disney Galaxy’s Edge acknowledges the original trilogy, introduces Darth Vader, Luke, Leia, Han
47
820
PhineasC replied
Microsoft blocked the word Miscroslop on their Discord server
Social 
43
873
winjer replied
Top Bottom