Microsoft backpedals: Edge to stop loading passwords into memory

Microsoft reversed course on a longstanding Edge browser security practice that exposed saved passwords in process memory during startup. The company previously defended the behavior as "by design," but now commits to eliminating the vulnerability.

Edge stored plaintext passwords in RAM when the browser launched, creating a window of exposure for threat actors with local system access or memory-dumping malware. An attacker gaining kernel-level privileges or executing credential-theft utilities could extract these passwords before users even accessed them.

The shift represents a significant policy change. Security researchers had flagged the practice for years, questioning why Edge loaded all saved credentials into memory immediately rather than decrypting them only when users needed them. Microsoft's initial response dismissed the concern, claiming the implementation reflected intentional architectural decisions.

The updated approach will decrypt passwords on-demand rather than preloading them into process memory at startup. This reduces the exposure window considerably. Users gain protection against memory-dumping attacks that occur before they actively use stored credentials.

The timeline for deployment remains unclear. Microsoft typically rolls out browser updates through its standard release cycle, which occurs every four weeks for stable builds. Organizations running Edge on Windows devices should monitor patch notes and prioritize updates once the fix reaches production.

This change brings Edge closer to Firefox and Chrome's credential handling models, both of which avoid loading all passwords into memory upfront. Security-conscious organizations may now see fewer reasons to disable Edge's password manager entirely, a workaround some implemented to mitigate the risk.

The reversal also signals that Microsoft is responding to persistent security community pressure. Researchers publishing detailed technical breakdowns of the memory exposure helped force the company's hand. Similar pressure campaigns have proven effective in addressing other browser security gaps over the past decade.