Microsoft Edge ends plaintext password storage in RAM with version 148

Microsoft Edge will no longer store plaintext passwords in memory after a security researcher exposed a long-standing vulnerability. Researcher Tom Jøran Sønstebyseter Rønning demonstrated that Edge's built-in password manager decrypted all saved credentials at startup and kept them resident in process memory—even if the user never visited those sites. He released a tool called EdgeSavedPasswordsDumper to prove the behavior. Microsoft initially claimed this was an 'expected feature' and cited that an attacker would already need device compromise, but the company reversed course after public scrutiny.

Microsoft Edge Security Team Lead Gareth Evans announced the change is rolling out in Edge version 148 and later, covering all channels including Stable, Beta, Dev, Canary, and Extended Stable. The fix is a defense-in-depth measure that stops loading passwords into memory on startup. Edge was the only Chromium-based browser exhibiting this behavior, according to Rønning. Users can update by going to Settings > Help and feedback > About Microsoft Edge to trigger the automatic update. No further action is needed beyond installing the latest version.