Microsoft Edge dumps all saved passwords in plaintext memory at startup

Windows Hello protected on disk but every credential sits wide open in RAM.

Researcher pulls full passwords with hex editor before you even type one site.

That’s Microsoft handing your bank logins to any local attacker.

Keep trusting Edge and watch your accounts drain one memory dump at a time.

Microsoft Edge: Passwords end up in memory as plaintext

“Password managers are supposed to help store login credentials safely and securely, taking the “memorization work” off users. In addition, these practical helpers can transcend device boundaries and manage login data equally on smartphones, desktops, and laptops. Typically, they are stored end-to-end encrypted in the cloud. Passwords should also only be decrypted in memory for a short time. However, Microsoft’s password manager in the Edge browser fails here.

Tom Jøran Sønstebyseter Rønning draws attention to the problem in a post on X. A simple test confirms the vulnerability. With the password manager enabled in Microsoft Edge, we created an account with the password “Klartext-PW-Test.” To view, retrieve, or change this data, Microsoft Edge requires authentication with Windows Hello. This makes the data appear well protected.”

 

Uh-oh! It looks like you're using an ad blocker.

Our website relies on ads and the generous support of readers like you to keep delivering free, high-quality content. Right now, we are facing serious funding challenges and we need your help more than ever. Disable your ad blocker and this message will vanish. You can also sign up for a membership to enjoy an ad-free experience while supporting our work: https://citizenwatchreport.com/plans/subscriptions/ Your support helps us stay independent, continue our work, and keep content free for everyone. We truly appreciate your understanding and thank you for standing with us.