Microsoft's Edge is facing controversy after a security researcher discovered the internet browser will load stored passwords in plaintext in a computer’s RAM, paving the way for malware to fetch the login credentials.
Security researcher Tom Jøran Sønstebyseter Rønning flagged the problem in a video showing him using a simple tool to dump stored passwords in Edge using the command prompt with administrator privileges.
This Tweet is currently unavailable. It might be loading or has been removed.
“When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials,” he warned, adding: “Edge is the only Chromium‑based browser I’ve tested that behaves this way.”
However, Microsoft is pushing back on the report, saying the threat only arises if a hacker has control over the user’s PC, which could occur through a malware infection. “Access to browser data as described in the reported scenario would require the device to already be compromised,” the company said in a statement.
Still, Rønning questions why Microsoft doesn’t follow Google’s Chrome, which decrypts saved credentials “only when needed, instead of keeping all passwords in memory at all times," he said. "In contrast, Chrome will only decrypt the credential you need for autofill, when you need it, and it will be removed after."
It's also possible to dump passwords for multiple users if a hacker gains access to a Windows terminal server. In his video, Rønning noted the attacker is able to compromise a user account with administrative privileges to view the stored credentials for two other logged-on users.
This Tweet is currently unavailable. It might be loading or has been removed.
However, Microsoft indicates that its current approach to loading stored passwords in Edge can improve the user experience. “Design choices in this area involve balancing performance, usability, and security, and we continue to review it against evolving threats,” the company said. “Browsers access password data in memory to help users sign in quickly and securely—this is an expected feature of the application. We recommend users install the latest security updates and antivirus software to help protect against security threats."
That last part is a bit unsettling, though, and suggests Windows’ built-in security isn’t enough to protect the user, despite Microsoft's own recommendation.
Recommended by Our Editors
The controversy has sparked debate, with some saying the danger is overblown because the threat vector requires hijacked admin access to a PC or server, which would expose the victim to all kinds of attacks, including password theft from other programs. But others have wondered why Microsoft doesn’t simply implement stronger security for password storage.
Vx Underground, a malware library service, noted that a malware infection could use Edge’s in-memory process to dump a user’s passwords on a home machine. “However, successfully using this method in an enterprise environment would be difficult to use. It would require administrative access and some security access tokens which would immediately raise some flags."
In the meantime, another security researcher, Rob VandenBrink, replicated the findings by going to Task Manager and using “Create Memory Dump” while the Edge browser was open on the PC. The resulting memory dump file included stored passwords. But again, this process requires local access to the PC.
About Our Expert
Michael Kan
Principal Reporter
Experience
I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.
Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.