Microsoft Edge apparently saves your passwords in its memory as cleartext according to a Norwegian cybersecurity researcher. This matters because it means a malicious actor could see all of your passwords if they gain access to your PC.
Update: Microsoft provided Tom's Guide with a statement, read on for the company's response.
The researcher, Tom Jøran Sønstebyseter Rønning (spotted by our friends at PC Gamer), posted a thread on X explaining how the browser decrypts "every credential at startup" and then keeps them in process memory. It even happens for sites that you don't visit that session.
"Edge is the only Chromium‑based browser I’ve tested that behaves this way," Rønning said.
To be clear, this isn't available for anyone to just stumble across. You need some know-how and administrative access to the terminal server, already a huge breach. Once that is done, a bad actor "can access the memory of all logged‑on user processes."
A person could have administrative access on one account and then use that access to compromise passwords for other logged-in users too.
Yes, someone with admin rights can wreak havoc on any computer they have access to, but you typically need passwords to access password managers or two-factor authentication. Cleartext means that passwords are more visible and in a shared environment, that would be a treasure trove for a bad actor.
"Access to browser data as described in the reported scenario would require the device to already be compromised," a Microsoft spokesperson said in a statement.
"By design"
Rønning posted that he disclosed this flaw to Microsoft and was told that the behavior is "by design." And it appears to be known.
In a related thread, X user LopezLucio666 responded that they reported the flaw in September of 2025. According to a screencap they posted, the Microsoft Security Response Center (MSRC) deemed the flaw "not a vulnerability and no security boundary being crossed."
The message says that the ability to read Edge memory requires privileges "the same or greater."
Microsoft has a password manager security FAQ that does sort of address the issue. "Even if an attacker has admin rights or offline access and can get to the locally stored data, the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in."
This doesn't do anything for users who are logged in, though.
Microsoft told Tom's Guide that design choices regarding this involve "balancing performance, usability and security, and we continue to review it against evolving threats."
The company added that the browser's access to password data in memory allows you to sign in quickly and securely, an "expected feature of the application."
Per Rønning and others' research, the system may not be doing enough to prevent attackers from being able to access the cleartext passwords.
In the meantime, we recommend using one of the best password managers instead of storing them in Edge or any other browser for that matter.
