Microsoft Edge to Stop Loading Cleartext Passwords in Memory

Microsoft is updating the Edge web browser to stop loading saved passwords into process memory in clear text at startup [1, 2].

This change addresses a potential vulnerability that could allow unauthorized actors to extract sensitive credentials from a computer's memory. By eliminating cleartext loading, the company reduces the risk of password theft via memory-scraping attacks.

The update follows a period of scrutiny regarding the browser's handling of stored data. Previously, reports indicated that Edge loaded these passwords into memory in an unencrypted format as soon as the application launched [1, 2].

Microsoft initially responded to these findings by saying the behavior was "by design" ^[3]. The company said at the time that the implementation did not constitute a security concern ^[3]. However, the current shift in policy indicates a reversal of that position to better protect user data [1, 2].

Security researchers often highlight the danger of cleartext data in memory because it can be accessed by other processes with sufficient privileges. This specific behavior in Edge created a window of opportunity for attackers to capture passwords without needing to crack the browser's encrypted on-disk storage ^[1].

Microsoft has not provided a specific rollout date for all users, but the update is intended to ensure that credentials remain protected throughout the startup sequence [1, 2].