When you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials.
At the same time, Edge requires you to re‑authenticate before showing those same passwords in the Password Manager UI — yet the browser process already has them all in plaintext.
Edge is the only Chromium‑based browser I’ve tested that behaves this way. By contrast, Chrome uses a design that makes it far harder for attackers to extract saved passwords by simply reading process memory.
It decrypts credentials only when needed, instead of keeping all passwords in memory at all times. App‑Bound Encryption (ABE) adds another layer by binding decryption to an authenticated Chrome process, preventing other processes from reusing Chrome’s encryption keys.
Because of these controls, plaintext passwords appear only briefly during autofill or when the user views them, making broad memory scraping far less effective. The risk of keeping the passwords in cleartext in memory becomes evident in shared environments.
If an attacker gains administrative access on a terminal server, they can access the memory of all logged‑on user processes. In the video the attacker has compromised a user account with administrative rights and is able to view stored credentials for two other logged on
(or even disconnected) users with Edge running. I reported this to Microsoft, and the official response was that the behavior is “by design”. They have been informed that I would be sharing this as a responsible disclosure so users and organizations can make informed decisions
about how they manage credentials. Last wednesday (April 29th) I disclosed this on BigBiteOfTech by Norway
Simple, educational proof of concept, to show that the passwords are stored in cleartext in memory.
@Zink @0ops I want to add on the subject of VMs for work: a VM is worlds easier to backup, to port to other hardware, etc etc. Plus it has some (potentially quite major) advantages of isolation. I’m actually of the opinion that any work environment that can safely go into a VM probably should anyway.
The only catch is the VM corporations aren’t so great. VMWare is wrecked and Oracle isn’t a great company either. Qemu is good, but really hard to use. (If you can do it, it’s super portable and probably should be more reliable though.)
WINE options via a manager like Bottles with encapsulated runners are almost as good at this.
Yeah, before we got the OK to just dual boot our laptops at work, I ran a linux VM inside windows for a while and it honestly worked very well.
Even now that I just run Linux, and Windows is VM-only for occasionally checking Windows build artifacts, it can be convenient to have a different Linux distro in a VM for random things.