Microsoft Edge Stores Passwords in Plain Memory – Users’ Trust Exposed

1. Incident Overview: Passwords Running "Naked" in Memory

Security researchers reported a critical flaw in Microsoft Edge: every password saved by users is stored in clear text inside the browser’s memory. When the Edge password manager is used, these credentials lack any encryption protection.

Expanded attack surface: Any attacker who can read a user’s process memory—such as malware or spyware—can easily capture these plaintext passwords.

Horizontal movement risk: In corporate environments, an attacker who extracts passwords from one host can reuse them to access other services across the network.

Low detection difficulty: Because the exposure occurs at the memory level, traditional endpoint defenses struggle to detect this type of theft.

2. "By Design" – The Most Flippant Security Response

When confronted with the flaw, Microsoft replied succinctly with "by design." The article questions whether this is a technical explanation or a PR line.

From a security‑operations perspective, if the design truly leaves passwords in memory, it indicates a missing security consideration in Edge’s password manager.

Openly acknowledge the issue: No evasion or blame‑shifting.

Assess impact scope: Clearly disclose how many global users are affected.

Develop a remediation plan: Provide a concrete timeline for fixes.

Strengthen security measures: Consider memory encryption, process isolation, and other hardening techniques.

3. User Trust Should Not Be Squandered

Microsoft’s massive user base entrusts the Edge browser with their passwords, forming an implicit psychological contract that the provider will safeguard personal data. Storing passwords in plaintext violates this contract.

For enterprise users the risks are even more severe:

Centralized password storage: Employees’ work‑account credentials saved in Edge could be exposed.

Internal lateral movement: Captured credentials enable attackers to penetrate deeper into corporate networks.

Potential data‑asset loss: Email, VPN, CMS back‑ends—any service whose password was saved in Edge may be compromised.

4. What Can Users and Microsoft Do?

Security practitioners have long advocated the use of password managers and secure products, yet a mainstream browser’s manager now proves unreliable.

Advice for users:

Avoid saving passwords in Edge, especially for critical accounts.

Enable multi‑factor authentication to add a protective layer even if passwords leak.

Consider dedicated password‑manager solutions such as Bitwarden or 1Password.

Monitor for abnormal login activity to detect possible credential abuse promptly.

Call to Microsoft: A simple "by design" statement does not resolve the issue. Microsoft must acknowledge user concerns, take concrete remedial actions, and ensure that password security is no longer a design flaw.