Microsoft Edge keeps all saved passwords as plaintext in process memory at all times, not just during active use.
Key Takeaways
Passwords remain decrypted in Edge’s memory even when the browser is idle and the passwords are not being accessed.
Any process or tool with access to Edge’s memory can trivially extract credentials without needing user interaction.
Microsoft’s own mitigation framing requires attacker-level admin access, but the risk surface is broader than that threshold implies.
Chrome addressed a similar issue in 2024 by encrypting passwords in memory and using an elevated service to prevent unauthorized process impersonation.
Hacker News Comment Review
Consensus splits on threat model: skeptics invoke the “airtight hatchway” argument that admin-level memory access already implies full compromise, but others note renderer exploits and Spectre-class bugs can leak memory without full privilege.
Chrome’s 2024 App-Bound Encryption work is cited as the meaningful engineering contrast: passwords encrypted in memory, access gated by an elevated service, impersonation blocked at the OS level.
A secondary risk raised is swap: plaintext passwords in RAM can be paged to disk in the Windows swap file, persisting after browser close and surviving across reboots.
Notable Comments
@Lorkki: notes browser-exploitable memory-read vulns work without admin rights, making eager credential wiping a sensible defense-in-depth even if imperfect.
@timedude: flags that low-memory conditions can page plaintext passwords to disk in the swap file.
