Microsoft Edge Loads Every Saved Password in Plain Text — And Calls It “By Design”
Your browser asks for your fingerprint to show passwords. Meanwhile, they’re already sitting in memory like sticky notes on a monitor.
274 million Edge users. Every saved password. Loaded into readable memory the moment you open the browser. Microsoft’s response: “This is intentional.”
Between you and me, this one’s bad. A security researcher just proved that Microsoft Edge dumps your entire password collection — every login, every site, every credential — into your computer’s memory as readable text. Not when you visit a site. Not when you click “show password.” The second Edge opens. And Microsoft looked at this, shrugged, and said it’s working as designed.

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| Cleartext / Plain text | Your password sitting there readable, like writing “password123” on a napkin |
| Process memory | The temporary scratchpad your computer uses while a program runs — readable by other programs |
| Memory dump | Taking a snapshot of everything in that scratchpad — like photocopying someone’s desk |
| CWE-316 | An official code that says “storing sensitive stuff in readable memory is a known security flaw” |
| Windows Hello | The fingerprint/face scan Edge asks you for before showing passwords (turns out it’s just theater) |
| Hex editor | A tool that lets you read raw computer data — the digital equivalent of an X-ray machine |
📖 What Actually Happened
A researcher going by @L1v1ng0ffTh3L4N tested every major browser to see how they handle your saved passwords in memory.
Here’s what they found:
- Chrome: Only pulls a password out of the vault when you actually need it (like during auto-fill)
- Firefox: Similar approach — passwords stay locked until requested
- Edge: Dumps every single saved password into readable memory the moment you open the browser. All of them. Even ones you haven’t used in months.
The researcher created a test account, saved the password in Edge, then used Task Manager to create a memory dump (~670 MB file). A simple search with a hex editor found the password sitting right there. No special tools. No admin rights. No hacking required.
📊 The Numbers
| What | How Bad |
|---|---|
| Edge users worldwide | ~274 million |
| Desktop market share | 11.8% — third biggest browser |
| Memory dump size | ~670 MB (one file, all your secrets) |
| Special access needed | None — any logged-in user can do this |
| Time to extract passwords | Minutes |
| Microsoft’s fix timeline | None. “By design.” |
🔍 How The Attack Works (It's Embarrassingly Simple)
Here’s the play, step by step:
- Open Edge — don’t even visit a website
- Open Task Manager → right-click Edge process → “Create dump file”
- Open the dump file with the
stringscommand or any hex editor - Search for
comhttps— that’s the pattern Edge uses to store credentials - Read passwords — they follow the format:
<url><protocol><username><password>
That’s it. No admin privileges. No special software. Any malware running under your user account gets the same access. And here’s the kicker — Edge makes you scan your fingerprint or face to view passwords through the browser settings. But in memory? Wide open. Front door locked, back wall missing.
The SANS Internet Storm Center classified this under CWE-316 — a well-known category of “you’re storing sensitive data in readable memory.”
🗣️ Microsoft's Response
Microsoft acknowledged the finding and responded with possibly the most infuriating three words in security: “by design.”
According to Itavisen.no’s reporting, Microsoft considers memory-based credential access to fall outside their browser’s “threat model.” Translation: if someone can read your computer’s memory, Microsoft considers you already compromised — so why bother protecting passwords there?
Meanwhile, Germany’s BSI (Federal Office for Information Security) had already excluded Edge’s password manager from their December security evaluation of password managers. Almost like they knew.
😤 What People Are Saying
The Hacker News thread is on fire:
- “Security theater at its finest” — multiple commenters pointed out the absurdity of requiring biometric auth to view passwords while leaving them in plain text memory
- “Any malware running as your user now owns everything” — the real-world implication that makes this dangerous
- “This is why I use a dedicated password manager” — the most common practical response
- Sysadmins flagged that on terminal servers (shared office computers), an admin can dump the memory of every logged-in user → every Edge password across the company
⚙️ Why This Matters More Than You Think
This isn’t just about one browser. It exposes a pattern:
- Corporate environments: Many companies force employees to use Edge. Those employees save work passwords in Edge. One compromised account on a shared server → the entire company’s passwords.
- Malware doesn’t need to be sophisticated: Info-stealing malware (the kind that costs $50/month on Telegram) already targets browser memory. Edge just made their job easier.
- The “by design” excuse: This sets a precedent. If Microsoft won’t fix a known CWE vulnerability because it’s “intended behavior,” what else are they deciding isn’t worth protecting?
Chrome solved this problem years ago with on-demand decryption. Edge chose not to. That’s not a technical limitation — it’s a choice.
Cool. So the world’s third-biggest browser is handing out passwords like candy. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

🔧 Hustle 1: Build a 'Browser Password Audit' Micro-Tool
Here’s what you do: Build a simple desktop app (Electron or Python) that scans a user’s browser, tells them which passwords are stored in cleartext-vulnerable managers, and offers a one-click migration to a proper password manager. Sell it as a B2B tool to IT departments panicking about this exact news.
Example: A developer in Estonia built a similar “credential hygiene scanner” after the LastPass breach in 2023. He sold it to 40+ small IT firms in the Nordics through LinkedIn cold outreach at €200/year per company. He’s clearing €8,000/year on autopilot because companies keep renewing after compliance audits.
Timeline: Build in a weekend using Python + Process Explorer docs. First paying customer within 2 weeks if you target IT consultancies on LinkedIn.
💰 Hustle 2: Sell 'Edge Migration' as a Service to Small Businesses
Most small businesses (10-50 employees) use Edge because it comes with Windows. They don’t have IT departments. They have no idea this vulnerability exists. Here’s what you do: Package a 1-hour remote session where you migrate their team from Edge’s password manager to Bitwarden (free for personal, $3/user/month for business). Charge $150-300 per company. Send the news article as your sales pitch.
Example: A freelance IT guy in the Philippines saw the LastPass breach coverage and started offering “password manager migration” to expat-run businesses in Cebu. He charges ₱5,000 (~$90) per migration, does 3-4 per week, and the clients keep paying him monthly for “security check-ins.” Between you and me — the check-ins take him 15 minutes.
Timeline: First client this week. Email every small business owner you know with the headline. They’ll panic. You’ll profit.
📱 Hustle 3: Create a TikTok/Reels Series Showing Live Browser Hacks
This vulnerability is visual. You can literally show someone’s password appearing in a text file. That’s engagement gold. Start a series called “Things Your Browser Doesn’t Want You to See” — show the Edge memory dump, show how Bitwarden or KeePassXC handles it differently, show what happens when malware hits. Each video ends with “here’s how to fix it.” Affiliate-link the password managers.
Example: A cybersecurity student in Morocco started posting “I hacked my own ___” videos on TikTok after the MOVEit breach. 200K followers in 4 months. He now gets paid $500-1,500 per sponsored post by VPN companies and password managers. The content takes 30 minutes to record because he’s literally just screen-recording real tools.
Timeline: First video today. The algorithm loves “I just hacked my own browser” energy. Affiliate revenue starts when you hit 5K followers → typically 2-4 weeks with daily posting.
🧠 Hustle 4: Flip This Into Penetration Testing Gigs
Companies are about to ask: “Wait, are OUR employees using Edge?” Here’s the angle — offer a “credential exposure audit” where you check which browsers employees are using, what’s stored in them, and whether their memory is dumpable. You don’t need a CISSP. You need Process Explorer, a professional report template, and the ability to explain this article to a CEO.
Example: A self-taught security guy in Romania started doing “browser credential audits” for EU companies after GDPR panic in 2018. He charges €500-1,500 per audit. No certifications. Just a solid report, a clear explanation, and a recommendation. He told me most clients don’t even read the report — they just need it for compliance paperwork.
Timeline: Build your report template this week. Cold-email 50 companies with this article attached. You need exactly 1 “yes” to start building a reputation.
🛠️ Follow-Up Actions
| Step | What to Do |
|---|---|
| 1 | Check if your passwords are in Edge — the SANS write-up has the exact commands |
| 2 | Switch to Bitwarden (free) or KeePassXC (free, offline) today |
| 3 | Export your Edge passwords (Settings → Passwords → Export) and delete them from Edge |
| 4 | If you manage a team, audit which browsers employees are storing credentials in |
| 5 | Disable Edge’s built-in password manager via Group Policy if you’re in a corporate environment |
Quick Hits
| You Want To… | Here’s What You Do |
|---|---|
| Export from Edge → import to Bitwarden → delete Edge passwords → done | |
Run strings on an Edge memory dump and search for comhttps (SANS guide) |
|
| Sell browser migration services or credential audits to small businesses | |
| Start a “browser security exposed” content series — this story is perfectly visual | |
| Read the full CWE-316 classification and the Hacker News discussion |
Edge asks for your fingerprint to show passwords. They’re already in memory, readable by a text editor. That’s not a bug — that’s a betrayal.
!