Security Researcher Warns Microsoft Edge Users About Saved Passwords
If you use Microsoft Edge as your main browser, there is an important security issue you should know about.
A security researcher recently discovered that Microsoft Edge stores saved passwords in computer memory in plain text. This means that if a hacker or malware gains access to your computer, it could become easier to steal your saved passwords.
The issue was first highlighted by security researcher Tom Jøran Sønstebyseter Rønning, who shared details and a demonstration on X (formerly Twitter).
What Exactly Happened?
Normally, when you try to view saved passwords in Edge, the browser asks for your Windows PIN or password before showing them.
That sounds secure, but according to the researcher, Edge already decrypts and loads all saved passwords into memory when the browser starts.
In simple words:
- Your passwords are already unlocked inside the browser process.
- Even if you are not using those passwords.
- Even if you never open the related websites.
This creates a possible risk if malware or an attacker gets access to your computer.
Why Is This a Problem?
Many browsers only decrypt passwords when they are actually needed.
For example, Google Chrome uses additional protections that make it harder to extract passwords directly from memory.
According to the researcher, Edge behaves differently by keeping all passwords loaded in memory continuously.
This could make password theft easier on:
- Shared computers
- Office PCs
- Compromised systems infected with malware
- Systems where attackers gain administrator access
The researcher even created a demonstration tool showing how saved credentials could be extracted from Edge memory.
Microsoft’s Response
Microsoft reportedly described this behavior as a “design choice” intended for performance, usability, and security reasons.
However, several cybersecurity experts criticized this response and argued that convenience should not come before stronger password protection.
Are Your Passwords Already Stolen?
No.
This does not mean your passwords have already been leaked.
The issue only becomes dangerous if:
- Your computer gets infected with malware
- Someone gains unauthorized access to your system
- An attacker compromises your Windows account
Still, security experts say the design makes Edge less secure compared to some other browsers.
Should You Stop Using Edge?
Not necessarily.
If you already practice good security habits, the risk is lower. But if you store many important passwords inside Edge, you may want to:
- Use a different browser
- Use a dedicated password manager
- Avoid saving highly sensitive passwords directly in the browser
- Keep Windows and antivirus software updated
How to Move Your Passwords from Edge to Chrome
If you want to switch browsers, you can export your passwords from Edge and import them into Chrome.
Step 1: Export Passwords from Edge
- Open Edge
- Go to Password Manager
- Click the three-dot menu
- Select “Export Passwords”
- Enter your Windows PIN or password
- Save the CSV file somewhere safe
Step 2: Import Passwords into Chrome
- Open Chrome
- Go to Google Password Manager
- Choose “Import Passwords”
- Select the CSV file you exported from Edge
- Import the passwords
After importing, delete the CSV file from your computer because it contains your passwords in readable form.
Final Thoughts
This issue highlights how important browser security really is.
While the vulnerability does not automatically expose your passwords to the internet, it could make things easier for hackers if your system becomes compromised.
For now, users should stay informed, keep their systems secure, and consider whether they are comfortable storing passwords inside Microsoft Edge.
Sources
- https://www.computerworld.com/article/4167430/edge-browser-leaves-passwords-exposed-in-plain-text-says-researcher.html
- https://x.com/L1v1ng0ffTh3L4N/status/2051308329880719730