Updated
Updated · heise online · May 5
Microsoft Edge password manager stores plaintext passwords in memory
Updated
Updated · heise online · May 5

Microsoft Edge password manager stores plaintext passwords in memory

15 articles · Updated · heise online · May 5
  • A test found an unused password visible in a 670MB browser memory dump after Edge was restarted, despite Windows Hello protecting access to saved credentials.
  • The flaw means passwords are loaded into memory before relevant sites are visited and remain readable in clear text, a practice classified as CWE-316 cleartext storage of sensitive information in memory.
  • Microsoft reportedly told Rønning the behaviour was intentional, prompting calls for a fix and advice that security-conscious users consider other password managers; Germany's BSI had excluded Edge from a 2025 password manager test.
How can Microsoft Edge users protect their passwords when even Windows Hello can't prevent plaintext exposure in memory?
With the EU Cyber Resilience Act looming, will Microsoft be forced to redesign Edge's password manager, or risk losing market access?
Are dedicated password managers truly immune to in-memory attacks, or is the risk of plaintext exposure simply less publicized?

Related Stories

heise onlineMay 5
MashableMay 5
isc.sans.eduMay 5
LifewireMay 5
hackingpassion.comMay 5
sqmagazine.co.ukMay 5
PPC LandMay 5
Dark ReadingMay 5
CybersecurityNewsMay 5
mezha.uaMay 5
PCWorldMay 5
aiseesoft.comMay 5
FacebookMay 5
CyberInsiderMay 5
webnots.comMay 5