Microsoft is making a major security change to Microsoft Edge after intense backlash from users and security researchers over how the browser handled saved passwords in memory.
The controversy started after a security researcher revealed that Edge was decrypting all saved credentials the moment the browser launched and keeping them stored in plaintext within the browser’s process memory for the entire session — even if the passwords were never actually used.
That discovery quickly sparked criticism across the security community, with many users questioning why sensitive credentials remained exposed in memory unnecessarily.
What Was Happening Inside Edge?
According to the researcher’s findings, Edge automatically decrypted every password saved in the browser during startup. Once decrypted, those credentials stayed resident in memory in cleartext form until the browser session ended.
This meant that if malicious software gained local access to the system, it could potentially scrape passwords directly from memory without waiting for the user to log into websites.
While such an attack would already require elevated access or malware running locally, critics argued that keeping all credentials permanently loaded created an unnecessary security risk.
The issue gained traction online after many users accused Microsoft of prioritizing convenience and performance over modern security best practices.
Microsoft Initially Defended the Behavior
Microsoft originally responded by saying the behavior was “by design” and aligned with the browser’s threat model.
The company argued that an attacker would already need administrative privileges and the ability to execute malicious code locally before accessing the passwords, meaning the system would already be compromised at that point.
However, the explanation did little to calm concerns from users and cybersecurity professionals.
Many pointed out that modern browsers and password managers increasingly follow stricter “decrypt-on-demand” approaches to minimize exposure windows for sensitive data.
Microsoft Is Now Changing Edge’s Password Handling
Following the backlash, Microsoft has now confirmed that it is implementing a new defense-in-depth security improvement under its Microsoft Secure Future Initiative.
With the update:
- Saved passwords will no longer be decrypted and loaded into memory during browser startup
- Credentials will instead be decrypted only when needed
- Passwords will remain protected until a login action actually requires them
- Overall memory exposure time for sensitive credentials will be significantly reduced
This brings Edge more in line with modern security expectations followed by many password managers and competing browsers.
Fix Already Rolling Out in Edge Canary
Microsoft says the new behavior is already live in the Microsoft Edge Canary testing channel.
The company is prioritizing rollout to all supported versions of Edge beginning with version 148 and newer.
That means users on stable releases should begin receiving the improvement soon as Microsoft pushes the update more broadly.
Why This Matters
While the original design technically required local system compromise before exploitation, the controversy highlights how browser security expectations are changing rapidly.
Modern cybersecurity strategies increasingly focus on reducing attack surfaces even after an attacker gains partial system access. Limiting how long passwords remain decrypted in memory is considered an important layer of protection against malware, memory-dumping tools, and credential theft techniques.
Microsoft’s quick reversal also shows how strongly public feedback and the security research community can influence browser security decisions.
Also keep yourself updated with all latest news about Microsoft Copilot by reading our full coverage here.
Please follow us on our Facebook page and X account for all latest and breaking Windows and Microsoft related news.
