Normally, when you save passwords in a browser: They are encrypted (locked) while stored on disk and are only decrypted (unlocked) briefly when needed (like for autofill)

But Microsoft Edge has been doing something different all along:
At startup, it unlocked ALL saved passwords immediately. It kept them sitting in your computer’s memory (RAM) in plain text and they stayed there for the entire session, even if unused.

Think of it like this: Instead of unlocking one password when you need it, Edge dumped your entire password list on the table the moment it opened.

Why that’s a security concern?
This matters because RAM can be read by other programs. If someone (or malware) gains enough access to your system, they could: Scan memory and extract all your passwords instantly with no need to crack encryption or wait for you to log in. Security researchers even demonstrated a tool that could dump all passwords directly from memory.

What Microsoft is changing now:
After much backlash, Microsoft is fixing it: Edge will no longer load all passwords into memory at startup and the updated fix is rolling out starting with Edge version 148.

So, this isn’t a “panic now” situation but the risk becomes real if:
– You download shady software / get malware
– You use shared computers (family, work, school)
– Your computer is already compromised.

Bigger takeaway.
Browser password managers are convenient, but they are not the most secure option for storing all your credentials. They keep everything in one place, depend largely on the browser’s built-in protections, and lack the stronger safeguards of a dedicated password vault.

What you should do.
You don’t need to stop using Edge—but you can be smarter about it: Keep Edge updated – The fix is automatic, but only if your browser is up to date

Better options:
1. Consider a dedicated password manager like Bitwarden, 1Password or Dashlane.
2. Always turn on 2‑factor authentication (2FA). Even if a password gets stolen, hackers still can’t log in without the second factor

Bottom line:
The Edge issue didn’t mean passwords were publicly exposed, but it made passwords easier to steal in certain attack scenarios. Microsoft is fixing this because it has unnecessarily increased user security risks.

Let this act as a good reminder to upgrade your security habits.
* Edge had a design flaw that increased risk which is now being fixed
* Chrome already uses a safer runtime approach
* Dedicated password managers are still the gold standard

The real takeaway:
The biggest risk isn’t which browser you use — it’s whether your system gets compromised. Using a dedicated password manager just gives you extra protection if/when that happens.

PC World:
https://www.pcworld.com/article/3131805/microsoft-backtracks-on-edge-storing-your-passwords-in-plaintext-ram.html

Bleeping Computer:
https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup/

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!