Security researcher Tom Jøran Sønstebyseter Rønning, posting as @L1v1ng0ffTh3L4N, has revealed that Microsoft Edge decrypts every saved password at startup and holds all of them in process memory, in cleartext, for the entire browser session.
He says this includes passwords for sites the user is visiting as well as every credential the user’s ever saved. The passwords are held in memory from the moment Edge opens.
The assumption behind the technical behaviour
Uzair Gadit, Founder & CEO, of Secure.com, says: “What makes this Edge finding unusual is not just the technical behaviour, it is the assumption behind it. Users are told to follow best practices, use strong passwords and use a password manager, and they did. The problem is the software holding those credentials made a design decision that fundamentally changes the risk, and most users were never made aware of it.”
Gadit says on its own, requiring administrative access might sound like a limiting factor. “In reality, that’s exactly where many enterprise breaches begin. Once an attacker gains privileged access in a shared environment like RDS or Citrix, the difference between decrypting credentials on demand versus holding them all in memory becomes significant. It can turn a single compromised account into a broad credential exposure event across multiple users.”
He believes that this is where the cyber sector needs to shift its thinking. “We have spent years telling users to improve password hygiene, but this isn’t a hygiene problem, it’s an exposure problem. The question is no longer just how strong a password is, but how long it exists in a usable state, where it exists, and who or what can access it there.
Keeping everything decrypted for convenience increases risk
‘The architectural difference highlighted here is important: minimizing the time credentials exist in plaintext reduces risk. Keeping everything decrypted for convenience increases it. Both are intentional design choices, but only one aligns with how attackers increasingly operate, especially with automation and AI make it easier to move laterally once access is established.
“World Password Day tends to focus attention on user behaviour,” Gadit adds. “This is a reminder that the bigger risk often sits one layer below that, in the design decisions made by those producing the tools people are told to trust. If those decisions prioritize usability over exposure reduction, then even a user’s perfect password hygiene won’t consistently deliver the security outcome their organizations expect.”
For him, the takeaway isn’t that passwords are weak, it’s that credential exposure still isn’t being treated as a first-order risk in system design. “Until that changes, attackers will continue to focus less on breaking in and more on taking advantage of what’s already available once they are inside.”
A broader trust boundary issue
Ted Miracco, CEO, of Approov, adds: “This type of exposure highlights a broader trust boundary issue. Modern infostealers thrive in the gap between ‘encrypted at rest’ and ‘exposed at runtime.’ The industry trend should be toward app-bound, just-in-time access to secrets, not long-lived plaintext copies in memory.”
Miracco adds that even when credentials are stored securely, the moment they are handled in cleartext, they become accessible to any process that can observe memory or intercept execution flows. “Without enforcing strong runtime protections and limiting how credentials can be accessed or reused, attackers can bypass traditional safeguards without ever breaking encryption.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.