Overview
- Researchers showed that Edge decrypts every saved password at launch and leaves them readable in the browser’s memory, a behavior Microsoft says is by design.
- Public proofs of concept and demos, including a GitHub tool called EdgeSavedPasswordsDumper, confirm that stored credentials can be pulled from an Edge process without visiting any sites.
- Attackers who already have local access, malware, or admin rights can dump the Edge process memory and harvest passwords, which is especially dangerous on terminal servers, VDIs, and remote desktops.
- Independent tests found other Chromium browsers such as Chrome decrypt passwords only when needed and use protections like app‑bound encryption that make memory scraping far harder.
- Security pros advise turning off Edge’s password storage, migrating logins to a dedicated password manager, and purging saved passwords from Edge while organizations tighten policies on shared Windows environments.