Microsoft Edge reportedly loads all saved passwords into process memory as clear text, even when those passwords are not actively in use.
Key Takeaways
Passwords appear in Edge process memory in plain text, accessible to anyone who can read that process’s memory space.
The exposure is not limited to passwords in active use – unused credentials are also present in memory.
On terminal servers, any attacker with admin access can read memory across all logged-on user sessions, amplifying the blast radius.
This is a local privilege attack surface, not a remote one – but local access is a realistic post-exploitation scenario.
Hacker News Comment Review
Dominant technical pushback: if an attacker can already read arbitrary process memory or has admin rights, they can export passwords through Edge’s built-in export feature anyway, making this a limited incremental risk.
Commenters note the distinction between “loads into memory” and “persistently stores” matters – browsers must decrypt passwords to use them, so some plaintext exposure is structurally unavoidable; the question is scope and duration.
The broader debate echoes known password-manager design tension: tools like KeePass go to lengths to protect in-memory secrets, but browser plugin key extraction often undermines those protections at the user-privilege level regardless.
Notable Comments
@gruez: invokes Microsoft’s “airtight hatchway” framing – admin access already grants equivalent credential access via other paths.
@nubinetwork: notes parity with Linux – attaching gdb to sshd or a getty process yields the same result, so this is not unique to Edge or Windows.
