UPDATE: May. 6, 2026, 9:40 a.m. EDT This piece was updated to include a statement from Microsoft.
Password managers are supposed to make life easier for users by remembering their passwords and keeping them secure.
However, one cybersecurity researcher has discovered a quite concerning development regarding Microsoft Edge and how the web browser's password manager behaves.
According to researcher Tom Jøran Sønstebyseter Rønning, Microsoft Edge loads every saved password into memory at startup — in plaintext.
In a thread on X, Rønning detailed how the credentials are decrypted even if a user doesn't visit a site that uses the password manager during the user session.
This Tweet is currently unavailable. It might be loading or has been removed.
"If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes," Rønning writes.
Edge is Microsoft's proprietary web browser based on the Chromium open-source project, the code base developed and maintained by Google. However, as Rønning shared, this issue involving plain text credentials does not appear in other Chromium-based browsers like Google Chrome.
"Edge is the only Chromium‑based browser I’ve tested that behaves this way," says Rønning. "By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory."
Rønning says he first reached out to Microsoft regarding his findings before publicly disclosing the issue. According to the cybersecurity researcher, Microsoft responded by saying this behavior in Microsoft Edge was "by design."
Mashable reached out to Microsoft for more information about Rønning's findings and received a similar response.
"Safety and security are foundational to Microsoft Edge," a Microsoft spokesperson said in a statement provided to Mashable. "Access to browser data as described in the reported scenario would require the device to already be compromised. Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats. Browsers access password data in memory to help users sign in quickly and securely — this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
The German tech website Heise Online replicated the password issue. The site also noted that, according to well-established cybersecurity best practices, "passwords should only be decrypted at the time of use and deleted from memory very shortly thereafter."
Given Microsoft's response to Rønning, users concerned about the potential issue should consider alternative password managers and/or make sure their browser and device are set up with the latest security updates.
