Microsoft has introduced a key security improvement to its Edge browser following concerns that saved passwords were being temporarily stored in system memory in an unprotected form at launch, raising potential data exposure risks.
The company has confirmed that Edge will no longer load all saved passwords into plain text memory when the browser starts. The update is designed to reduce unnecessary exposure of sensitive credentials, even on systems that may already be compromised.
The issue was first identified by security researcher Tom Jøran Sønstebyseter Rønning, who discovered that Microsoft Edge was decrypting and loading all saved passwords into process memory immediately at startup.
He noted that this behavior differed from other Chromium-based browsers, including Google Chrome, which only decrypts and loads a password when a user actively requests it.
Initially, Microsoft maintained that the behavior was consistent with its existing security model, stating that an attacker would already need access to a compromised device to exploit such data. However, following further internal review, the company has now opted to refine its approach under a “defense-in-depth” security strategy.
Microsoft confirmed that the updated handling of stored credentials has already been implemented in the Edge Canary channel and will be rolled out more broadly starting with Edge build 148 and later versions, covering Stable, Beta, Dev, Canary, and Extended Stable releases.
The researcher’s findings highlighted that Edge was loading every saved password into memory at startup, a practice not commonly observed in competing browsers. The disclosure prompted Microsoft to reassess how credentials are processed and stored in memory in order to strengthen overall security.
The company emphasized that while the issue did not violate its defined security boundary model, it still represents an area where additional safeguards are necessary in today’s evolving threat landscape.
With this update, Microsoft Edge is expected to adopt a more controlled and secure approach to password handling, bringing it closer in line with industry standards and improving protection for user data.
