In a fresh development, starting with Edge version 148, the browser will no longer keep all passwords loaded in unencrypted form. Patched on May 18th, 2026: While Microsoft originally said the plaintext password behavior was “a deliberate design decision,” the publisher has now changed its tune.

According to the latest update, a security researcher from Norway has uncovered a serious vulnerability in Microsoft Edge that shows passwords are stored in memory as plaintext, as shown in this social media post. Original story from May 5th, 2026: If you tend to save your passwords in your browser, you need to be more careful.

In a fresh development, attackers could simply retrieve and copy them in plaintext. In a video, Tom Jøran Sønstebyseter Rønning demonstrates it in action:. Any malicious user with local access could easily intercept all your stored passwords, even if they haven’t been used at all during a given session.

According to the latest update, pic.twitter.com/ci0ZLEYFLB. Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them.

According to the latest update, password managers typically use end-to-end encryption and store passwords in cloud storage so that users can access them from anywhere. When passwords are needed, password managers normally decrypt the them for use and then delete them afterwards. The vulnerability affects Microsoft Edge’s password manager.

Industry observers note that other password managers, including those that are built into browsers, don’t operate in this way—Rønning says Edge is the only Chromium-based browser he’s tested with this behavior. The fact that Edge keeps all passwords loaded without any encryption is both unusual and dangerous.

In a fresh development, edge does require authentication to view passwords in the password manager, but this is of little protective value if attackers can simply gain access by reading the RAM, which is what happens here.

In a fresh development, according to ITavisen (machine translated), Edge’s password management behavior is “a deliberate design decision, “not a bug.” It’s unclear what benefit this design offers for users. Rønning apparently shared his findings with Microsoft and received an unexpected response.

As part of the ongoing story, rønning decided to warn users about how it works anyway, and also plans to publish his own tool on GitHub, which any user can use to check whether their Edge passwords are stored in plaintext.

As part of the ongoing story, if you don’t know where to start, check out PCWorld’s picks for the best password managers. If you use Edge and have passwords stored in the browser, you should migrate to another password manager that’s actually secure, then delete all your passwords from Edge.

In a fresh development, this article originally appeared on our sister publication PC-WELT and was translated and localized from German.

The report highlights that after studying communication science, she went straight into a job at PCMagazin and Connect Living. Since then, she has been writing about everything to do with PCs and technology topics, and has been a permanent editor at our German sister site PC-WELT since May 2024. Laura is an enthusiastic gamer as well as a movie and TV fan.