Microsoft Edge\u2019s built-in password manager decrypts all saved credentials into plaintext at browser launch, leaving them exposed in process memory for the duration of the session, a security researcher revealed on May 4, 2026. The finding, posted on social media and accompanied by a proof-of-concept video, shows that passwords stored and encrypted in Edge\u2019s database are loaded into RAM as soon as the browser starts\u2014and remain there until the process is terminated.

The researcher, operating under the handle @crypt0fault, demonstrated the issue using a simple memory inspection tool on a fully updated Windows 11 system with Edge 132. By attaching to the live msedge.exe process and performing a string dump, they extracted dozens of plaintext username and password pairs in under thirty seconds. No special privileges were required; the tool ran under the same user account that launched the browser.

The Discovery

On May 4, @crypt0fault published a video on X showing the procedure step by step. After rebooting the machine and opening Edge, they navigated to a few previously saved login pages to trigger the in-memory decryption. Then, using the open-source utility \u201cProcess Dump\u201d (a fork of the classic ProcDump with string extraction), they captured the process state. The output file contained every credential the browser had ever saved, neatly tagged alongside the corresponding website URLs and usernames.

The post immediately gained traction in the infosec community. Within hours, other researchers and users replicated the test, confirming the behavior on Windows 10 and Windows 11, with Edge versions from 127 through 132 all exhibiting the same pattern. Some reported that even passwords marked \u201cprotected\u201d by Windows Hello or BitLocker were recovered in cleartext, as the browser already had decrypted them for auto-fill purposes.

Technical Breakdown

Edge handles password storage using the Windows Data Protection API (DPAPI). When a user saves a website credential, the browser encrypts it with a key tied to the current user account and the machine, then stores the encrypted blob in a local SQLite database. The encryption is sound and prevents offline reading of the file.

However, the decryption process is where the exposure occurs. Once the user logs into Windows and launches Edge, the browser\u2019s password manager immediately loads all stored entries into memory. Edge does not decrypt on demand\u2014instead, it bulk-decrypts every credential into a cache to speed up auto-fill operations. That cache lives in the process\u2019s private virtual memory and is never securely zeroed or re-encrypted during the session.

\u201cThis is a classic example of convenience trumping defense in depth,\u201d @crypt0fault wrote in a follow-up thread. \u201cEven if an attacker doesn\u2019t have admin rights, any malware that can read process memory\u2014or a user with physical access and the same account\u2014can get every password in one shot.\u201d

A deeper analysis reveals that the decrypted strings are stored in a predictable memory region allocated by Edge\u2019s credential provider library. This library, edge_manage.dll, creates a dictionary-style structure where both the site URL and the associated password are placed adjacently, making automated extraction trivially easy for anyone with basic programming skills.

Real-World Risk

The practical risk is nuanced. For a typical home user, the exposure is limited: an attacker would need to run code on the machine under the same user context or have a pre-existing foothold that allows reading process memory. Modern Windows versions enforce process isolation and require SeDebugPrivilege to read another process\u2019s memory, which by default is only given to administrative users. However, the researcher\u2019s tool ran within the same user session, circumventing this restriction.

In enterprise environments, the threat is more pronounced. Shared workstations, kiosks, and VDI environments often operate with multiple users on the same system. A process dump from one user\u2019s Edge could reveal passwords to internal portals, HR systems, and cloud services. Additionally, advanced persistent threats that have already established code execution could harvest credentials without triggering antivirus alerts, since reading process memory is a common benign operation.

\u201cThe attack doesn\u2019t need to be sophisticated,\u201d said Jane Holloway, a penetration tester at CySight Labs. \u201cA simple info-stealer payload that appends a memory dump of running browsers to its exfiltration routine would catch all these passwords. And because the dump is just a binary blob, it\u2019s often overlooked by EDR solutions.\u201d

The incident also highlights a wider problem with password managers that operate at the browser level. Many third-party extensions and built-in managers similarly cache decrypted data. However, Edge\u2019s behavior is conspicuous because it decrypts everything aggressively at startup, rather than just the specific credential being used.

Industry Context

Browser password managers have long been scrutinized for security weaknesses. Google Chrome, for example, faced criticism in 2013 when it was revealed that synced passwords could be viewed in plaintext via chrome://settings. In 2018, Firefox improved its master password feature to require the OS password before revealing saved logins. Edge, since its Chromium rebirth, has lagged behind in implementing such authentication guards for local access.

In 2024, Microsoft introduced a \u201cWindows Hello\u201d integration that asks for biometric or PIN verification before auto-filling saved passwords on Edge. Yet the current finding demonstrates that the auto-fill check occurs after the password cache is already populated. An attacker need not interact with the auto-fill prompt; they can read the memory directly.

This is reminiscent of the 2019 \u201cSigRed\u201d vulnerability in Windows DNS, where sensitive data was inadvertently left in memory after decryption. Microsoft\u2019s response then was to issue a patch that better-scrubbed memory buffers. Security experts hope for a similar approach here.

Microsoft\u2019s Stance

Microsoft has not yet issued an official statement regarding the researcher\u2019s disclosure. However, early signals from the Microsoft Security Response Center (MSRC) suggest the company may classify this as a \u201cby design\u201d behavior. In the past, similar reports about DART (the Diagnostic and Recovery Toolset) and LSASS memory have been met with the argument that the OS already provides kernel-level protections; if an attacker can run a process as the user, the user\u2019s data is already compromised.

\u201cWe are aware of the report and are evaluating the findings,\u201d a Microsoft spokesperson told WindowsNews.ai via email. \u201cEdge is designed to operate within the security context provided by the operating system. We encourage users to follow best practices for endpoint protection and to enable Windows Hello and BitLocker for hardware-backed encryption.\u201d

This stance has drawn ire from the security community. \u201cDismissing a clear plaintext exposure as \u2018by design\u2019 is a disservice to users,\u201d argued @crypt0fault. \u201cJust because someone is in the house doesn\u2019t mean you should leave the safe wide open. Browsers should follow the principle of least privilege\u2014decrypt only what\u2019s needed, when it\u2019s needed, and wipe it afterward.\u201d

Mitigation Strategies

Until Microsoft delivers a patch or a design change, users can take immediate steps to reduce their risk:

  • Avoid saving passwords in Edge: Disable the built-in password manager (edge://settings/passwords) and use a dedicated, audited password manager like Bitwarden or 1Password. These solutions often encrypt the vault until a master password is entered, and may employ memory protection techniques.
  • Enable Windows Hello for Edge auto-fill: While this doesn\u2019t prevent the in-memory decryption, it does add a barrier for interactive auto-fill theft. However, it will not stop a process memory dump.
  • Use containerized browsing: For sensitive accounts, open Edge in a sandboxed environment like Windows Sandbox or a dedicated VM. That way, even if the host is compromised, the memory footprint remains isolated.
  • Lock workstations when unattended: Physical access scenarios are mitigated by a locked screen. Combine with short inactivity timeout policies.
  • Monitor for anomalous process access: Security teams can deploy detection rules for unusual process opening or DLL injection into msedge.exe. While noisy, it may catch opportunistic attackers.

Enterprises should also consider rolling out a Group Policy that disables the password manager and restricts browser extensions to only approved ones that handle credentials securely.

What\u2019s Next

The researcher has pledged to release a detailed technical writeup and a proof-of-concept script on GitHub by mid-May, after the standard 30-day coordinated disclosure window\u2014though Microsoft may have been pre-notified. Community pressure is mounting: an open letter on the Microsoft Tech Community forum has gathered over 2,000 signatures demanding a memory-safe redesign.

Some experts predict Microsoft will react by implementing on-demand decryption and memory zeroing, similar to how the Windows LSA protection mode scrubs secrets. Others believe the company will argue that the existing defense-in-depth model is sufficient, and instead work with anti-malware vendors to improve detection of process dumps targeting browsers.

In the broader picture, this incident is another reminder that convenience features inevitably expand the attack surface. Password managers are a prime target, and as browsers become ever more feature-rich, their memory management needs to evolve in lockstep. For now, Edge users should weigh the convenience of one-click login against the reality that their credentials are floating in RAM, waiting to be scooped up.