← All articles

Microsoft reverses course on Edge: saved passwords will no longer load into memory at startup

Microsoft has flipped its position on Edge keeping saved passwords decrypted in memory the moment the browser launches. After originally telling the researcher who reported it that the behavior was 'by design' and not a security issue, Microsoft now says future Edge builds will stop loading the password store into memory at startup. The fix is already live in the Canary channel and will reach Stable, Beta, Dev, and Extended Stable in build 148. The original disclosure came with a working tool that lets an administrator on a shared Windows machine dump other users' Edge passwords by reading process memory.

Check
Inventory Edge installs across your fleet. Check the current Edge version via edge://settings/help and flag anything below build 148.
Affected
Microsoft Edge versions before build 148 (Stable, Beta, Dev, Canary, Extended Stable) that store credentials via Edge's built-in password manager.
Fix
Update Edge to build 148 or newer when it ships. Until then, disable Edge's built-in password manager on sensitive endpoints and limit local admin rights on shared machines.