Is you browser giving your passwords away?
If your team uses Microsoft Edge and saves passwords in the browser, every one of those credentials is sitting in plain, readable text in your computer’s memory from the moment Edge launches.
A security researcher has confirmed this, and Microsoft has acknowledged the behaviour is intentional.
For businesses that rely on Windows and Microsoft 365, this is worth taking seriously.
What Was Found
Security researcher @L1v1ng0ffTh3L4N systematically tested every major Chromium-based browser, that’s the family of browsers that includes Edge, Chrome, and several others, to understand how each handles saved credentials in memory.
The finding was striking. Microsoft Edge is the only browser that decrypts and loads every single saved password into its process memory the instant the application opens. Those credentials remain in plaintext for the entire browser session, regardless of whether the user ever visits the relevant websites. Close a tab, never touch certain accounts, leave the browser open while you step out — the passwords are there, readable, the whole time.
Every other browser tested handled this differently and more carefully.
How Edge Compares to Chrome
The contrast with Google Chrome is significant.
Chrome only decrypts a credential at the exact moment it’s needed, during autofill, or when a user deliberately opens the password manager to view a saved entry. Once that moment passes, the credential is no longer sitting in plain text. Chrome also applies App-Bound Encryption, which ties decryption keys to an authenticated Chrome process, preventing other applications from accessing those keys.
In short: Chrome exposes plaintext passwords briefly, under controlled conditions, and only when needed. Edge exposes all of them, immediately, for as long as the browser is open.
There is an additional detail that underscores the problem. Edge still prompts users to re-authenticate before it will display saved passwords within its own Password Manager settings screen. That re-authentication step creates the appearance of security. But it provides none, because the same passwords are already sitting in plaintext in the browser’s process memory, accessible to any application or malicious process that can query it.
Microsoft, when the researcher disclosed this finding, confirmed the behaviour is intentional. It is working as designed.
Why This Matters for New Zealand Businesses
Browser-saved passwords are common across business environments. Edge ships as the default browser on Windows devices and integrates closely with Microsoft 365, which many New Zealand businesses use daily. It’s a natural place for staff to save credentials for email accounts, business applications, banking portals, cloud services, SaaS tools.
The risk here isn’t theoretical. If a piece of malware reaches a staff member’s device (e.g. through a phishing email, a compromised website, or a malicious file) and can read process memory, it walks away with every password that person has saved in Edge. In one move. Without the user knowing anything has happened.
This is exactly the kind of silent, high-yield attack that modern threat actors target. Credential theft is consistently among the most common initial access methods in cyber incidents globally, and the New Zealand threat landscape reflects this.
A single set of stolen business credentials can be the starting point for a ransomware attack, a fraudulent payment, a Business Email Compromise, or weeks of undetected access to your systems.
What to Do
There are practical steps businesses should take in response to this finding.
Stop saving passwords in Edge. Business credentials — and ideally all passwords — should not be stored in browser-based password managers. This applies to Edge in particular, but is good practice across the board.
Move to a dedicated password manager. Enterprise-grade password managers are built specifically for credential security. They use zero-knowledge architectures, enforce strong encryption, and don’t expose credentials to the operating system’s process memory in the way Edge does. Try the KARE password vault!
Review your endpoint security posture. The real risk here isn’t Edge alone. It’s the combination of browser-stored credentials and insufficient endpoint protection. If malware can execute on a device and read process memory freely, something in the security stack has already failed. Endpoint Detection and Response (EDR) tools monitor for exactly this kind of suspicious memory access behaviour.
Consider your MFA coverage. Even if credentials are stolen, multi-factor authentication (MFA) significantly raises the bar for attackers trying to use them. Ensuring MFA is consistently enforced across your business applications is a critical backstop.
Talk to your IT team or provider. If you’re not sure how your team is managing credentials, or whether your endpoint protection would catch memory-scraping activity, it’s worth asking the question.
A Pattern Worth Noting
What makes this finding particularly uncomfortable is Microsoft’s response. This isn’t a bug that slipped through. It’s a deliberate design decision in one of the world’s most widely deployed browsers, one that is tightly integrated with the enterprise software stack used by millions of businesses.
It is a useful reminder that even the tools from major, trusted vendors require scrutiny. Security posture isn’t a product you buy once. It’s a discipline that requires ongoing attention, systematic processes, and people who are asking the right questions on your behalf.
At Kinetics, our KARE Foundation service includes endpoint protection with EDR capabilities, MFA management, and structured security monitoring — built for New Zealand businesses that want security handled systematically, not reactively.
If this finding has raised questions about your current security posture, we’d be glad to talk it through.