Microsoft woke up to another security headache this week, and this one hits a little too close to home for anyone who relies on Edge as their daily browser. A security researcher discovered that Edge loads all saved passwords into memory in plain, unencrypted text the moment the browser launches. Not after you log in. Not after you autofill something. Immediately at startup. For a company that has spent the past year insisting security is its top priority, this is a tough look.
The researcher behind the finding, Tom Jøran Sønsterbyseter Rønning, told Windows Central that Edge is the only Chromium browser he tested that behaves this way. Chrome, he explained, uses a design that makes it significantly harder for attackers to extract saved passwords by simply reading process memory. That contrast matters because it shows this is not a Chromium problem. It is a Microsoft problem, created by Microsoft’s own modifications to the browser.
The issue is not that attackers can magically reach into your PC and grab your passwords. They would still need local access or malware already running on the machine. The problem is that Edge makes their job easier than it should be. When a browser loads your entire password vault into memory in plain text, it lowers the bar for what an attacker needs to succeed. It is the difference between a locked filing cabinet and a stack of documents left on the kitchen table.
This discovery also arrives at a moment when Microsoft is trying to convince the world that it is entering a new era of security first product development. After a string of high-profile incidents, including the Storm‑0558 email breach, the Recall controversy, and multiple Azure cloud vulnerabilities, the company announced its Secure Future Initiative. Executives described it as a cultural reset that would put security above shipping features. That message sounded good on stage, but incidents like this Edge password flaw make it harder to believe that the shift has fully taken hold.
Edge itself has been going through an identity crisis. Microsoft has been stripping out features like Collections, rearranging the sidebar, and pushing Copilot deeper into the interface. The browser feels like a product in flux, and this password issue adds another layer of uncertainty. When a browser is trying to reinvent itself, the last thing it needs is a security story that suggests the fundamentals are not being handled with care.
What makes this situation even more frustrating is that password handling is not an exotic or experimental feature. It is table stakes. Users trust their browser to store sensitive information safely. They assume the browser is doing the right thing behind the scenes. When that trust is shaken, it is hard to win back. Microsoft can patch this specific flaw, but the larger question is whether the company is consistently applying its own security principles across all products.
If Microsoft truly wants to rebuild trust, it needs to show that security first is more than a slogan. It needs to demonstrate that even the unglamorous parts of its products, like how a browser stores passwords in memory, are being designed with the same seriousness as its public commitments. Until then, stories like this will keep surfacing, and each one will chip away at the narrative Microsoft is trying to build.
