Microsoft Edge Will Stop Loading Passwords Into Memory in Clear Text at Startup

Laurent Giret
May 16, 2026
1

Microsoft Edge

Microsoft is changing its stance regarding how its Edge browser handles saved passwords in memory. Soon, the web browser will no longer load passwords into memory in plain text at startup, even though the company previously argued that this behaviour didn’t put users at risk.

Earlier this month, Security researcher Tom Jøran Sønstebyseter Rønning reported to Microsoft that Edge was loading all saved passwords into memory in clear text on startup, even when users were not using them. The researcher also pointed out that Google Chrome and other Chromium-based browsers weren’t doing this, preventing potential attackers from extracting passwords by reading process memory.

After making its findings public, Microsoft responded that this Edge behaviour was “by design”, adding that “access to browser data as described in the reported scenario would require the device to already be compromised.” That came as a surprising response for a company that prides itself on putting security as its top priority.

Well, Microsoft ultimately realized that it needed to do better to ensure that Edge users continue to trust the company with their sensitive data. “We will no longer load passwords into memory on startup. This defense-in-depth change will come to every supported version of Edge (Stable, Beta, Dev, Canary, and the Extended Stable channel our enterprise customers run), and we’re prioritizing the rollout. The change is live now in Edge Canary and included in the next update for all Edge releases, build 148 and newer,” explained Gareth Evans, Microsoft Edge Security Team Lead, in a blog post (via Windows Central).

Microsoft fails short of admitting that Edge’s current behavior is putting users at risk, however. “The threat model for our password manager is explicit that physically local attacks and malware running with elevated privileges are out of scope, and that’s consistent with every modern browser. In other words, the report does not raise a new avenue for attackers to access credentials through the browser itself,” Evans said.

Still, Microsoft acknowledged that it needs to change the way it handles reports from security researchers going forward. “We’re reviewing how we handle researcher reports, with a focus on speed, clarity, and applying defense-in-depth thinking earlier,” Evans said. The company plans to share what it learned in the near future.

Tagged with

About author

Laurent Giret

Laurent is a Senior News Editor at Thurrott.com, helping Paul Thurrott with daily news coverage. He's been writing about the technology industry for 10 years, mainly focusing on Big Tech companies. He also was the Editorial Manager of the Petri IT Knowledgebase from 2022 to 2023. You can follow Laurent on LinkedIn, X (Twitter), Threads, Bluesky, Facebook, and Mastodon.

View Articles

Currently on Forums
Visit the forums
- Microsoft cancels Claude Code licenses, shifting developers to GitHub Copilot CLI
  Posted by shameer_mulji
  
  1
  comment
- No longer 15 GB GMail storage
  Posted by Christian Gaeng
  
  3
  comments
- [CLOSED] Ask Paul for this Friday, May 15
  Posted by Paul Thurrott
  
  7
  comments
- Attack bypasses BitLocker using Windows Recovery Environment
  Posted by Christian Gaeng
  
  8
  comments
Podcasts
Podcast Hub
- First Ring Daily 1965: Small Break
  
  Aired on May 14, 2026 by Brad Sams with 0 Comments
- First Ring Daily 1964: GoogleBook
  
  Aired on May 13, 2026 by Brad Sams with 0 Comments
- First Ring Daily 1963: Court Report
  
  Aired on May 12, 2026 by Brad Sams with 0 Comments
- First Ring Daily 1962: Set Your Phasers
  
  Aired on May 11, 2026 by Brad Sams with 0 Comments
Join the crowd where the love of tech is real - become a Thurrott Premium Member today!

Explore Premium Benefits

Tagged with

Share post