Microsoft has announced that it is updating the Edge web browser to prevent saved passwords from being loaded into process memory in cleartext at startup. The reversal comes after the company initially described the behavior as intentional — a response that drew significant criticism from security researchers who pointed out that any process on the system with sufficient privileges could harvest credentials directly from Edge's memory.
The Original Behavior
Security researchers discovered that Microsoft Edge was loading the entire contents of its built-in password manager into process memory when the browser launched — in plaintext, not encrypted. This meant that every username and password stored in Edge's password vault was resident in RAM, accessible to any process capable of reading Edge's memory space.
On Windows, several categories of tools can access process memory:
- Kernel-level malware and rootkits
- Process injection attacks targeting browser processes
- Memory scraping infostealers — a category that has exploded in sophistication throughout 2025–2026
- Legitimate tools misused by attackers, such as Task Manager or process dump utilities, under conditions of local access
The behavior was particularly concerning because it meant that credential theft via memory scraping did not require exploiting a vulnerability in Edge itself — simply having code execution on the machine with sufficient privilege was enough.
Microsoft's Initial Response: "By Design"
When researchers first raised the issue with Microsoft, the company reportedly characterized the behavior as intentional — a design choice made to improve performance by pre-loading frequently needed data. This response drew sharp criticism from the security community.
Password managers — whether standalone applications or browser-integrated — are generally expected to decrypt credential data only when needed for a specific autofill operation, keeping the plaintext in memory for the minimum possible time before wiping it. The practice of loading all passwords into memory at startup inverts this principle and dramatically expands the window during which credentials are exposed.
The Reversal
Facing continued pressure, Microsoft has confirmed it is updating Edge to eliminate the cleartext preloading behavior. The fix will ensure that passwords are not decrypted and held in process memory until they are actively needed — aligning Edge's behavior with security best practices for credential management.
Microsoft has not provided a specific version number or release date for the fix, but described it as an active change in progress.
Why This Matters: The Infostealer Threat
The timing of this disclosure and reversal is significant. Browser-based infostealers — malware that targets saved passwords, session cookies, and authentication tokens stored in browsers — have become one of the most prevalent and effective credential theft vectors in 2026.
Tools like REMUS, Lumma, Vidar, and dozens of other commodity and MaaS infostealers specifically target browser password stores and session data. Memory scraping is one of the techniques in their toolkit, alongside:
- SQLite database extraction — directly reading browser password databases from disk
- Cookie theft — harvesting session cookies that bypass password authentication entirely
- Keylogging — capturing credentials at the moment of entry
By holding all passwords in memory in cleartext, Edge was providing infostealers with a convenient, pre-assembled credential dump — eliminating the need to decrypt or extract from disk databases.
What Users Should Do Now
Until the fix is deployed, Edge users with a high sensitivity to credential theft risk should consider:
- Using a dedicated password manager (Bitwarden, 1Password, Dashlane) rather than the browser's built-in manager. Standalone password managers are architecturally designed to minimize plaintext residence time.
- Auditing saved passwords in Edge — review which credentials are stored and remove any that represent especially high-value accounts.
- Enabling Windows Credential Guard where applicable — this provides additional hardware-backed isolation for credentials on enterprise Windows devices.
- Keeping Edge updated — the fix will be delivered via a standard browser update; ensure automatic updates are enabled.
Enterprise IT teams should also be aware that Edge password manager credentials are synced to Microsoft accounts when sync is enabled. Understanding the full scope of where Edge-stored credentials reside is important for incident response planning.
A Pattern Worth Noting
Microsoft's initial "by design" response to a clear security flaw — followed by a quiet reversal — is a pattern the company has faced criticism for before. It underscores the value of independent security research and public disclosure in driving improvements to widely used software. The fact that the behavior persisted long enough to be discovered and reported by external researchers suggests that internal security review processes did not flag the memory residency risk before release.