Windows Hello protected on disk but every credential sits wide open in RAM.
Researcher pulls full passwords with hex editor before you even type one site.
That’s Microsoft handing your bank logins to any local attacker.
Keep trusting Edge and watch your accounts drain one memory dump at a time.
Microsoft Edge: Passwords end up in memory as plaintext
“Password managers are supposed to help store login credentials safely and securely, taking the “memorization work” off users. In addition, these practical helpers can transcend device boundaries and manage login data equally on smartphones, desktops, and laptops. Typically, they are stored end-to-end encrypted in the cloud. Passwords should also only be decrypted in memory for a short time. However, Microsoft’s password manager in the Edge browser fails here.
Tom Jøran Sønstebyseter Rønning draws attention to the problem in a post on X. A simple test confirms the vulnerability. With the password manager enabled in Microsoft Edge, we created an account with the password “Klartext-PW-Test.” To view, retrieve, or change this data, Microsoft Edge requires authentication with Windows Hello. This makes the data appear well protected.”