Edge Keeps Every Password You've Ever Saved in RAM as Plaintext — Even the Ones You're Not Using

:unlocked: Edge Keeps Every Password You’ve Ever Saved in RAM as Plaintext — Even the Ones You’re Not Using

A security researcher just proved your browser is keeping a master list of every login you’ve ever saved — sitting in memory, unencrypted, waiting to be grabbed

Microsoft Edge stores ALL your saved passwords in cleartext RAM throughout your entire browsing session — whether you’re using them or not. A researcher just built a tool that yanks them out without needing admin access.

Chrome does it too. Firefox does it by default. Your password manager sitting there looking secure? It’s keeping a plaintext buffet in memory the whole time you’re scrolling cat videos.

security breach

🧩 Dumb Mode Dictionary
You’ll Hear It Actually Means
Cleartext/Plaintext Your password sitting there as “hunter2” instead of scrambled gibberish
RAM/Memory The brain space your computer uses while programs are running (disappears when you close things)
Threat Model The list of attacks a company actually tries to defend against (spoiler: not all of them)
Defense-in-Depth Multiple security layers so if one fails you’re not instantly cooked
Spectre/Meltdown CPU bugs from 2018 that let programs peek at other programs’ memory
🔍 What the Researcher Found

A security person built a proof-of-concept tool that extracts saved passwords from Edge’s memory without:

  • Administrator/root access
  • Debugger tools
  • Physical access to the machine

Just regular user permissions. The tool reads Edge’s memory space and grabs every stored password sitting there in readable text.

The kicker? You don’t even need to be using those passwords. Edge loads them all into RAM when it starts and keeps them there the entire session.

💬 But Wait — Everyone Does This

Security nerds in the discussion revealed:

  • Chrome: Same behavior, passwords unencrypted in memory
  • Firefox: Also unencrypted by default (unless you set a master password, which almost nobody does)
  • Every password manager: Has to decrypt passwords into memory to auto-fill them

Browser vendors’ official position: “Physically-local attacks aren’t part of our threat model.”

Translation: If someone’s already running code on your machine with your user permissions, you’re already screwed. Protecting passwords in RAM won’t save you from that level of compromise.

⚔️ The Counterargument — Defense Matters Anyway

Some researchers pushed back hard:

Even if full system access = game over, reducing the plaintext window still matters because:

  1. Partial exploits exist: Vulnerabilities like Spectre and Meltdown let attackers read memory without full system access
  2. Memory dumps happen: Crash reports, hibernation files, swap files — all can leak RAM contents
  3. Malware doesn’t always get admin: Lots of attacks run at user-level and grab what they can reach

Keeping passwords encrypted until the exact microsecond they’re needed = smaller attack surface. It’s defense-in-depth — making attackers work harder even after they get in.

🛡️ What Browsers Could Do (But Don't)

Option 1: Keep passwords encrypted in RAM, only decrypt them right when autofill triggers

Option 2: Use OS-level credential storage (Keychain on Mac, Credential Manager on Windows) that requires explicit user approval per access

Option 3: Implement a master password like Firefox offers (but make it actually mandatory)

Why they don’t: Convenience. Users hate typing master passwords. Performance takes a tiny hit from constant encrypt/decrypt. And their threat model says “if you’re already compromised at this level, protecting RAM won’t save you.”

Cool. Your Browser Is a Walking Password Database. Now What the Hell Do We Do? ಠ_ಠ

hacker typing

🔐 Use a Standalone Password Manager with Memory Protection

Tools like 1Password, Bitwarden, and KeePassXC implement memory protection techniques (process isolation, encrypted memory pages, auto-lock timers).

They’re not perfect, but they’re designed around the assumption that memory attacks exist — unlike browsers that treat it as “not our problem.”

:brain: Example: Security consultant in Germany switched from Chrome’s built-in manager to Bitwarden with auto-lock after 5 minutes. Uses browser extension that requires master password re-entry. Adds friction but reduces exposure window from “entire session” to “5 minutes max.”

:chart_increasing: Timeline: 20 minutes to export from browser, import to Bitwarden, install extension, configure auto-lock

🧹 Clear Saved Passwords from Browsers Entirely

If your threat model includes “someone might run memory-reading malware on my machine,” stop using browser password storage.

Go into Edge/Chrome/Firefox settings → Passwords → Delete all saved credentials. Force yourself to use a standalone manager that treats memory security seriously.

:brain: Example: Freelance developer in Brazil got his Upwork account compromised via malware that scraped browser memory. Wiped all browser-saved passwords, moved everything to KeePassXC with a local encrypted database. Now even if malware runs, it can’t access the vault without the master password (which he types, not saves).

:chart_increasing: Timeline: 30 minutes to audit what’s saved, export to CSV, delete from browser, import to new manager

💻 Enable Firefox Master Password (If You Must Use Browser Storage)

Firefox has an optional master password feature that encrypts your saved passwords. It’s not enabled by default because Mozilla knows users won’t use it.

But if you turn it on, Firefox keeps passwords encrypted in memory until you unlock the vault each session. Better than nothing.

:brain: Example: Privacy researcher in Canada enabled Firefox master password + auto-lock after 15 minutes idle. Combined with containers (isolating site cookies/sessions), reduced risk of cross-site credential leakage even if memory gets dumped.

:chart_increasing: Timeline: 2 minutes to enable, then typing one password per Firefox session

🔬 Run Browsers in Sandboxed VMs for Sensitive Accounts

For high-value accounts (banking, email, work), run a separate browser instance inside a disposable virtual machine using Qubes OS or Windows Sandbox.

If malware compromises the VM, it can’t reach your host system’s memory or other VMs.

:brain: Example: Infosec contractor in Poland uses Qubes OS with separate VMs for personal/work/banking. Each VM runs its own browser instance. Even if one gets popped and passwords leak from RAM, attacker can’t pivot to other credential sets.

:chart_increasing: Timeline: 2-4 hours to set up Qubes OS initially; 30 seconds overhead per session after that

🛠️ Follow-Up Actions
Want Do
Check what your browser saved Settings → Passwords → See the full list (you’ll be horrified)
Export before deleting Use browser’s export function to save as CSV, then import to real password manager
Test a password manager Bitwarden is free and open-source, good starting point
Learn about memory attacks Read about Spectre and why RAM-based attacks are real
Go nuclear Set up Qubes OS for compartmentalized browsing

:high_voltage: Quick Hits

Want Do
Stop trusting browser password storage Move to 1Password, Bitwarden, or KeePassXC
Use Firefox’s master password Settings → Privacy → Use a Primary Password
See what Edge/Chrome saved Settings → Passwords → Saved Passwords (probably way more than you remember)
Understand the threat Read about memory disclosure attacks and why this matters
Sandbox sensitive browsing Try Windows Sandbox for banking/email sessions

Your browser thinks convenience beats security. Your attacker thinks you’re leaving the vault unlocked.

:robot: Generated with Claude Code

4 Likes