Microsoft Edge just stopped storing your passwords in plaintext - but you'll need the latest update

If you're one of the users who relies on Microsoft Edge to save and manage your website passwords, you should now feel a bit safer knowing that your credentials are better protected from security risks. In a recent post, Microsoft Edge Security Team Lead Gareth Evans announced that the company will no longer store plaintext passwords in Edge's memory. This change comes in response to a recent finding by a security researcher who discovered that Edge was storing plaintext passwords in memory when the browser was used to manage them.

The researcher, Tom Jøran Sønstebyseter Rønning, found that when you save passwords in Edge, the browser decrypts every credential at startup and keeps them resident in process memory. This happens even if you never visit a site that uses those credentials. Rønning explained that Edge requires you to re-authenticate before showing those same passwords in the Password Manager UI, yet the browser process already has them all in plaintext.

Microsoft acknowledged this behavior, stating that it's an expected feature that would only pose a risk if your device was already compromised. However, the company has since reversed its position, with Evans stating that "we will no longer load passwords into memory on startup." This defense-in-depth change is now live in Edge Canary and will be included in the next update for all Edge releases, build 148 and newer. To ensure you're better protected, simply update to the latest version of Edge.

You can do this by clicking the three-dot Settings icon at the top, going to Help and feedback, and selecting About Microsoft Edge. The latest update will automatically download and install. Restart Edge, and the new version will be in place.

No special action is required beyond installing the latest version. While Microsoft's original justification may have been valid, this type of behavior seemed unique to Edge's password manager. Rønning noted that Edge is the only Chromium-based browser he's tested that acts this way, with Google Chrome decrypting credentials only when needed rather than keeping all passwords in memory at all times.