Security researcher Tom Jøran Sønstebyseter Rønning discovered the Microsoft Edge internet browser will load saved passwords into memory in plaintext, even when they are not being used.

When a user saves passwords in Microsoft Edge, the browser decrypts each credential at startup, storing them in process memory. This occurs even when users visit sites that do not require those credentials. Yet, the browser will prompt users to re‑authenticate before showing the same passwords in Password Manager UI — even though the process already stores them in cleartext. 

“The risk of keeping the passwords in cleartext in memory becomes evident in shared environments,” Rønning said in his post. “If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes.” 

When Rønning reported this behavior to Microsoft, he was told this behavior was “by design.”

Morey Haber, Chief Security Advisor at BeyondTrust, asserts, “The digital trust created by a password was never intended to be electronically immortal artifacts living in memory of a device. They were meant to be transient secrets: entered, validated, tokenized, and discarded from process memory. The moment a password is retained in clear text memory, even for operational performance, it stops being an authentication mechanism and becomes a liability regardless of who has access to a system.” 

Haber says that process memory is viewed by modern operating systems as a protected, albeit shared, resource. “Debuggers, crash dumps, memory scrapers, malware, privileged insiders, endpoint agents, and even legitimate administration tools can all interact with memory under the right conditions,” he explains. “If a password exists in clear text within memory, the credential is no longer protected by encryption or hashing. It is simply waiting to be used by something and potentially anything.”

Understanding the Risks

According to Haber, malicious actors understand very well the risk of a stored plaintext password — and sometimes, they understand it better than organizations themselves. 

“Some of the most effective post exploitation techniques in cybersecurity rely entirely on memory extraction from credential dumping tools through process crash dumps,” he states. "Once extracted, that password can enable privilege escalation, lateral movement, persistence, and unauthorized remote access across the environment. The risk becomes exponentially worse in privileged environments. One exposed credential can become the foundation for a ransomware infestation or a full-scale identity takeover, and if more than one password is available, it can lead to a game over event.

“From a defensive perspective, storing passwords in clear text memory violates the principles of least privilege, zero trust, and secure application design. It is simply just a bad idea. In modern secure by design environments, authentication should be ephemeral, protected, obfuscated, and replaced whenever possible with stronger mechanisms such as tokenization, certificate-based authentication, hardware backed credentials, or just in time access workflows.

“If a password can be read in memory by a human or malicious process, it is no longer a protected secret. It is already compromised in principle through clear text storage in an already insecure medium.”

Rønning disclosed his findings on Apr. 29 at Palo Alto Networks Norway’s BIG Bite of Tech conference, then published his findings on LinkedIn and GitHub.