Microsoft Defends Edge Passwords in RAM, but the Design Is Raising New Questions

A security finding with familiar tradeoffs

Microsoft is defending a browser behavior that has drawn renewed scrutiny: saved passwords managed in Edge can reside in plaintext in RAM. According to the supplied source text, security researcher Tom Jøran Sønstebyseter Rønning demonstrated that when users rely on Microsoft Password Manager in Edge, the browser decrypts credentials at startup and keeps them in process memory, even if the user never visits the sites tied to those credentials during that session.

Microsoft’s response, also included in the source material, is that this is expected behavior rather than a software bug. The company told ZDNET that browser access to password data in memory is part of how applications help users sign in quickly and securely. It added that exploiting the condition would require the device to already be compromised.

That combination of positions is what makes the story significant. The issue is not framed as a hidden flaw awaiting a patch. Instead, it sits in the uncomfortable category of accepted design tradeoffs, where performance and convenience are weighed against the consequences of a successful compromise.

What the researcher showed

Rønning published code on GitHub, called EdgeSavedPasswordsDumper, to demonstrate the behavior. The source text says the tool shows credentials stored by users of Microsoft Password Manager in Edge can be found in plaintext in the browser process memory. That matters because it narrows the debate. The finding is not about whether passwords are encrypted at rest inside the product’s storage mechanisms. It is about what happens after the browser has already decrypted them for active use.

The researcher also highlighted an apparent contradiction in the user experience. Edge may require re-authentication before showing passwords in the Password Manager interface, yet the browser process can already have those same passwords present in plaintext in memory. That gap between interface protections and runtime exposure is the part likely to unsettle technically informed users.

Still, the source text also supports Microsoft’s basic point that this is not a low-effort remote attack. The scenario described depends on an attacker already compromising a user account with administrative rights. That does not make the issue irrelevant, but it does place it later in an attack chain rather than at the initial point of entry.

Why the distinction matters

Security questions often turn on where a control is meant to operate. If a system is designed to defend against remote abuse, protections at rest and user-interface checks may be sufficient for many common threat models. If the concern is post-compromise resilience, the standards change. Once an attacker has local access, anything held in memory becomes more valuable and more vulnerable.

That is why Microsoft’s “feature, not bug” framing may be technically coherent while still leaving users uneasy. From a product perspective, preloading credentials can improve responsiveness and reduce friction. From a security perspective, it increases the amount of sensitive material available to an attacker who has already crossed another boundary.

Neither side of that argument is trivial. Modern software frequently relies on memory-resident secrets to function smoothly. At the same time, endpoint compromise is not a hypothetical category of risk. If a browser centralizes credentials for many accounts, then any design choice that broadens in-memory exposure deserves scrutiny.

Core points established in the source text

• Edge stores saved passwords in plaintext in RAM when used as a password manager.
• Microsoft says this is expected behavior and would matter only if the device were already compromised.
• The researcher’s demonstration focuses on post-compromise access to browser memory.

A broader browser-security conversation

The story also reflects a larger shift in how browsers are judged. They are no longer just page-rendering tools. They are identity hubs, payment helpers, sync clients, and password managers. That means their memory behavior, not just their user-facing settings, increasingly matters to security-conscious users and enterprise defenders.

For some people, Microsoft’s explanation will be enough. If the device is already compromised, they may argue, many other protections have already failed. For others, that is precisely why the issue matters: software entrusted with sensitive credentials should minimize the useful data left exposed during that compromised state.

The source text does not establish that Microsoft plans any change, and it does not show evidence that the behavior is being actively exploited at scale. But it does surface a real design tension that is unlikely to disappear. Password managers inside mainstream browsers promise convenience by reducing the number of steps between a user and a login. The cost of that convenience is often paid in complexity that only becomes visible when a researcher looks beneath the interface.

For Developments Today, the significance is less about a sensational “plaintext passwords” headline than about product architecture. Edge is being asked to defend a choice that may be normal in some technical contexts but still difficult to justify to users who expect stronger compartmentalization around saved credentials. The debate is ultimately about how much exposure is acceptable after compromise, and that is a question the browser industry will keep confronting.

This article is based on reporting by ZDNET. Read the original article.