The Norwegian researcher said Microsoft Edge decrypts all saved credentials at startup and keeps them in process memory, including on shared workplace PCs; Heise.de independently reproduced the issue.
Microsoft reportedly told Rønning the behaviour is "by design", drawing criticism from Beauceron Security chief David Shipley, who warned it gives info-stealing malware an easy path to harvest passwords.
The flaw updates earlier reports of plaintext passwords in memory, while comparisons with Chrome's App Bound Encryption have intensified calls for users and businesses to consider alternative password managers.
How can Microsoft Edge users protect their passwords when even Windows Hello can't prevent plaintext exposure in memory?
With the EU Cyber Resilience Act looming, will Microsoft be forced to redesign Edge's password manager, or risk losing market access?
Are dedicated password managers truly immune to in-memory attacks, or is the risk of plaintext exposure simply less publicized?