(Credit: Daniel Constante via Shutterstock)
Facing backlash, Microsoft is reversing a controversial design choice in the Edge browser that stored passwords in plaintext in a computer’s RAM, paving the way for malware to fetch the data.
“We are addressing the originally reported issue immediately,” Microsoft VP for Edge Security Andrew Ritz wrote on LinkedIn. “We no longer load passwords into memory on startup.”
The change is already available in the browser's Canary release, with the goal of rolling it out to all stable versions of Edge in the next update. “If you use Edge’s password manager today, you don’t need to do anything; the update will reach you through the normal update channel,” Ritz added.
A security researcher flagged the issue last week, demonstrating how a simple tool could extract all the passwords in Edge using the command prompt with administrator privileges. “Edge is the only Chromium‑based browser I’ve tested that behaves this way,” said Tom Jøran Sønstebyseter Rønning, who noted Google’s Chrome decrypts saved credentials “only when needed.”
Initially, Microsoft said Edge was designed to load all passwords in plaintext “to help users sign in quickly and securely.” Importantly, the company noted: “Access to browser data as described in the reported scenario would require the device to already be compromised.” In other words, malware must have successfully infected the PC to pilfer the passwords from Edge, which could open the computer to all kinds of attacks.
Still, Microsoft’s defense sparked debate over whether the password-storing issue was overblown or if the company was doing enough to protect users. It looks like the backlash and lingering security concerns prompted Redmond to act at a time when Microsoft’s cybersecurity stance has been criticized before for being too lax.
“You trust us with something deeply personal when you save a password in Edge, and we don't take that lightly,” Ritz wrote in his LinkedIn post. “The reported behavior doesn't put customers at new risk, but that's where our work starts, not where it ends."
Going forward, Edge will now decrypt a password and insert it into a webpage, and then remove the password from memory once it's no longer needed, Microsoft told PCMag. If a user visits their password manager page in Settings, the passwords will be decrypted and held in memory, but only until the user leaves the manager page.
Edge’s Security Lead, Gareth Evans, noted Microsoft didn't initially act on the security issue because “the threat model for our password manager is explicit that physically local attacks and malware running with elevated privileges are out of scope, and that’s consistent with every modern browser.” Still, the company is making the change to shore up defenses and reduce the potential for password exposure.
“With our commitment to the Secure Future Initiative (a pledge made in 2023) and customer feedback, we are taking a broader view,” he added.
The company is also “reviewing” how it handles researcher reports to act more quickly, after initially dismissing Rønning's findings. “We’ll share our process lessons and improvements in the not-too-distant future,” Ritz said.